> precautions. There have been quite a few cases where firewall security has
> been by-passed and that should be a lesson to not rely on just a firewall.
I've seen several cases of this; netpower.com was broken via an
unpassworded PPP account; a major local corporation (in Tampa) was
cracked and root obtained even though they had a firewall - they had an
easily guessed account/pw pair and unpatched bugs. The point I keep
trying to get across to people is that a firewall is _NOT_ a magic fix.
As someone said, security takes as much time as you put into it - but
common sense issues (unpassworded PPP?!) shouldn't be that large of a
problem to deal with.
Stupidity just seems to be rampant. At my school, people from
E-Systems ECI came in and installed a firewall w/ SOCKS & udprelay,
router tables, etc., and bragged openly to students and faculty about the
security of our network "now that they'd secured it". They almost fell
over when I handed them a root prompt from my user prompt in 5 seconds
via an unpatched AIX hole ...
-jon
( --------[ Jonathan D. Cooper ]--------[ entropy @
intnet .
net ]-------- )
( PGP 2.6.2 keyprint: 31 50 8F 82 B9 79 ED C4 5B 12 A0 35 E0 9B C0 01 )
( home page: http://taz.hyperreal.com/~entropy/ ]---[ Key-ID: 4082CCB5 )
Follow-Ups:
References:
|
|
