I ran into a situation at a client a year ago in which a bots weren't
infecting a client workstation - they were infecting a piece of
manufacturing equipment making "Really Important and Delicate Stuff"
that was installed by a vendor. The interface was built on top of
Windows 2000. This machine managed to infect a nearby oscilloscope
who's OS also happened to be Windows 2000. Combine that with their
"default outbound policy", the company was DDoSing itself and whoever
the intended target was for that day. These two machines out of the
tens of thousands connected to this network network would effectively
take out the primary and the backup firewalls at random times during
the day. The mitigation had nothing to do with firewalls but involved
changes in network architecture, increased monitoring, changes in
process and bitch slapping a few people. I would of found the whole
situation amusing if I wasn't crying.


On Nov 27, 2007, at 11:07 PM, Darren Reed wrote:

> Paul D. Robertson wrote:
>
>> On Tue, 27 Nov 2007, Paul Melson wrote:
>>
>>
>>
>>> in both directions. State tables allow your firewall to have a
>>> deny-all
>>> default inbound policy and an allow-all default outbound policy.
>>> They allow
>>>
>>>

>>
>> With today's proliferation of Trojans and Spyware, anyone with a
>> Windows user population above three who has an allow-all default
>> outbound
>> policy is an idiot and populations of one to three are likely
>> candidates
>> for the club if not associate members.
>>
>>

>
> To give you an idea of how bad this problem is, I recently did a
> fresh install of Microsoft Windows XP + Service pack 2 (I hadn't
> caught up with all of the patches yet) and experimented with
> surfing the Internet like a normal user - default security settings
> for Internet Exploder.
>
> Half a dozen web sites later - no more - and spyware had installed
> itself into winlogin. Removal? Safest bet will be a format. How did
> it get there? I suspect some popup ad with nasty javascript/activex.
>
> Now what percentage of the Internet population does this represent?
>
> Port 80/443 restrictions mean nothing.
>
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards