Ian Lo wrote:
| Can anyone tell me what are the security risks and how vulnerable in
| opening up the following UDP ports to outside network. i.e. allow
| outside network to access directly the inside network via the following
| UDP ports:
As a general rule, its preferable to use a proxy server,
rather than allowing the packet through directly. This allows some
logging, possibly some action to be taken on the firewall.
| UDP ports services
| 42 name service
| 53 domain
Some people like to hide their internal names. Often, the
information will leak anyway. It may or may not be worth it. Cheack
the archives for discussion.
| 70 gopher
Gopherd has had problems in the past. (8lgm 4) You should
decide if you need to run a sever, since gopher guest accounts could
be used to get regualr shell access.
| 80 www
Mosaic had a major problem based on its extensive use of the
system() call. It allowed rude WWW servers to run arbitrary commands
on your machine when your Mosaic client conncected to them. I don't
trust the Mosiac source, it was written by a 22 year old. (Not to say
that 22 year olds can't write secure software, simply most don't have
the experience, mindset & skill to know what the attacks are likely to
be, know that preventing them is a really good idea, and then be able
to code things well enough that the attacks are actually blocked.)
| 119 nntp
I'd build a proxy of some type. INN was attacked, and
probably will be again.
| 123 ntp
Do you really need it? Can you sync your clocks some other way?
| 191 propspero
| 210 wais
Again, all of these services are a matter of 'Do we need this
enough for the risk we're taking?' Some are more dangerous than
others. Services where the daemons run as root on your machine are
probably a greater risk than those services that do not. Check out
Cheswick & Bellovian "repelling the wily hacker" for a discussion of
how to construct a good firewall policy.
Adam Shostack adam @
Politics. From the greek "poly," meaning many, and ticks, a small,