Re: TCPIP SMTP receiver issues (SYSTEM-F-NOLINKS)

In article <+kq29A1$EX+C@xxxxxxxxxxxxxxxxxxxxxxxx>, Kilgallen@xxxxxxxxxxx (Larry Kilgallen) writes:
In article <feq6fs$gj5$2@xxxxxxxxxxxxxxxxx>, david20@xxxxxxxxxxxxxxxx writes:
In article <Zzl9eeGh$$y1@xxxxxxxxxxxxxxxxxxxxxxxx>, Kilgallen@xxxxxxxxxxx (Larry Kilgallen) writes:
In article <feo3dq$sba$1@xxxxxxxxxxxxxxxxx>, david20@xxxxxxxxxxxxxxxx writes:
In article <Tf7qEQl$YxFl@xxxxxxxxxxxxxxxxxxxxxxxx>, koehler@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Bob Koehler) writes:
In article <fel8op$31o$1@xxxxxxxxxxxxxxxxx>, david20@xxxxxxxxxxxxxxxx writes:

As far as I am aware the only authentication ever done with DECNET objects is
to require the incoming connection to supply the target username and password
or appropriate proxy information. This is no different from applications under
TCPIP.

This is very different. Any fool application programmer can open
an IP socket and accept connections without action by the system
admin, who might be or find someone competent to determine whether
the code is full of security holes.

Only to high port numbers not to well-known ports unless he has the required
privileges.

Restrictins on "well-known port numbers" only guard against impersonating
an official service.

They do nothing to prevent a security-unaware user from programming
something that violates organization security policy by using a high
port number.

Which I think is what I said in the statement above. There was another similar
posting in which I answered more fully talking about protecting high-port
numbers by the use of stateful firewalls (either on external boxes or on the
system itself).

The business about "well known ports" is a red herring. The issue we
were discussing was the ability of a random user of arbitrary motive
and competence to accept unauthenticated inbound connections.

If the user is unprivileged the application they have listening on the
port will be unprivileged.

What percentage of TCP/IP machines are protected against that ?

What percentage of DECnet machines are protected against that ?

I'd hope most businesses have now moved their firewalls to a default-deny
policy - I know we did (for both incoming and outgoing connections) years ago.

Most home users with more than a single machine on their network (and lots of
businesses) will be running on private addresses behind NAT which, although a
side-effect of it's real function, in effect provides a default-deny firewall
for incoming connections.

Even windows from XP service Pack 2 onwards provides a personal firewall which
by default blocks incoming connections (and for previous versions there are
a number of free third-party personal firewalls).


David Webb
Security team leader
CCSS
Middlesex University
.

Relevant Pages

  • Re: ID-ing Hackers
    ... I'm using my sonicwall firewall to trace the incoming connections ... port 25 and cross referencing them to my security log and the blocking IP ... I took everyone's advice from here and boosted my passwords to 15 digits. ... That log is an attempt on port 25... ...
    (microsoft.public.windows.server.sbs)
  • Re: ID-ing Hackers
    ... I'm using my sonicwall firewall to trace the incoming connections to ... port 25 and cross referencing them to my security log and the blocking IP ... I took everyone's advice from here and boosted my passwords to 15 digits. ... That log is an attempt on port 25... ...
    (microsoft.public.windows.server.sbs)
  • Re: Ports Security
    ... You need to use a firewall to manage port access for the services that you ... By default all firewalls ... I am using windows 2000 ... > connections but allow it for incoming connections. ...
    (microsoft.public.security)
  • Re: Ports Security
    ... You need to use a firewall to manage port access for the services that you ... By default all firewalls ... I am using windows 2000 ... > connections but allow it for incoming connections. ...
    (microsoft.public.win2000.security)
  • Re: Clarification on firewall issues with Java networking APIs
    ... That's one reason why most client-server protocols eschew client ... Firewalls generally allow return ... Where finicky here means that any meaningful firewall will block the ... incoming connections by default and NAT routers will completely block the ...
    (comp.lang.java.programmer)