Theres no need for an attitude, of course I spell check my official email. I also already have plenty of evidence already to write a convincing email including all the nmap scans your talking about. I wouldent be even writing this email if they dident have a public IP (cox business services, /29 block) and as far as the rest of the evaluation information, my question was simply if I could do something with those three open udp ports in theory, not what their overall security issues are. Also like I said a PIX is not the only option I also pointed out iptables, personaly I like PIX because it can do protocol fixups and in this case I am refering to the low end SOHO product PIX 501. However sorry for going off on a rant in my previous email instead of simply asking the question. On Sat, 2003-03-15 at 05:43, Craig White wrote: > On Sat, 2003-03-15 at 03:17, Entelin wrote: > > I have a client I am trying to convince to install a firewall, (eather > > iptables or preferably cisco PIX). They have practicly every service > > under the sun open, the only reason their tcp netbios ports are closed > > is because cox filters them. The only reason I am having to convince > > them of anything is because they have another linux tech working for > > them and he is somehow convinced that they are completely secure "at the > > deamon level" wrote a big email to my client saying they dident need to > > install a firewall, or even close totaly unused ports on their box! > > (they even had echo and chargen open before I at least convinced them to > > close those ie: forged packet between echo and chargen = storm). > > nevermind the two root exploits their sendmail is at risk for. and the > > password sniffing of their login,telnet etc.. god.. > > > > ANYWAY sorry for that rant. back on topic I was wondering if I could do > > anything with these udp ports in absence of the filtered tcp netbios > > ports. ? as in gain any kind of access or DoS. > > > > 137/udp open netbios-ns > > 138/udp open netbios-dgm > > 139/udp open netbios-ssn > > > ----- > You are not giving us enough info to make a suggestion that would be > anything but generic. > > I can't assume that all of these machines have public ip addresses from > Cox. > > I have found that it isn't meaningful to continue to implore the need > for security, sometimes, people/companies need to learn the lesson > first. If you want to dramatically show them what you are talking about, > write a report that includes: > - nmap OS fingerprint scan of some of these boxes as they appear from > the internet. > - nmap OS fingerprint scan of a thoroughly secured firewall and/or PIX > router. > - give them links to www.insecure.org/sploits.html and bugtraq > - a security audit is far more than scans for open ports. When you > mention echo & chargen, you aren't mentioning the state of > /etc/hosts.allow & /etc/hosts.deny, password policies, switches instead > of hubs, intrusion detection tools and on and on. The problem is that > when you bring up this stuff to someone that doesn't think that there is > a problem, you become the problem. > - leave the topic with a small amount of...if you fall out of the tree > and break your leg, don't come running to me attitude. > > As for the Netbios ports...from where to where and how does network > access internet? As you said, Cox filters netbios ports (out of > necessity since otherwise, their bandwidth would be consumed by netbios > broadcasts/traffic). > > ps...I hope that you spell check your emails to your client, here you > don't need to but to them, you apparently do and Cisco PIX is probably a > bit of overkill unless VOIP is slated to happen. Cisco has cheaper > routers/firewalls. > > Craig > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss