[67214] in North American Network Operators' Group
Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Thu Feb 5 12:24:43 2004
Date: Thu, 05 Feb 2004 22:54:03 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0402051710020.20200@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
Christopher L. Morrow [2/5/2004 10:45 PM] :
> Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault
> with the vendor or the person(s) implementing or the 'management' of said
> person(s)? Even an openbsd firewall is a problem if not properly admin'd.
of course, but you do have to contend with the fact that it takes at
least some amount of IQ beyond the point and click level to fire up vi
and use a command line interface. :)
Neal Stephenson's "in the beginning was the command line" is an
interesting take on this, I think.
> Nope, but pointing out their failures in a sensible manner to their
> management is helpful... sometimes atleast :( Failing any action there the
> whole group is just shooting themselves in the foot and there isn't much
> you can do about that, is there? (except to get out of the blast radius)
Actually, the problem is that when dealing with a bunch of know it alls
like that, even waving manufacturer's documentation in front of them
doesn't really help
Like my friend's cable ISP, that recently turned on "smtp fixup" on a
cisco pix on port 25 across their entire network. He's got a static IP,
runs linux + postfix, and is still left with a completely crippled
mailserver (no AUTH, no TLS, no ESMTP ...) thanks to this. Waving cisco
docs at them doesn't seem to have helped at all. [Moving is tough, they
are the only broadband in the bangalore suburb where he lives]
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
