ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

2007-03-03 15:48:05
  Please read up on "default deny" and "principle of least privilege".

On Sat, Mar 03, 2007 at 02:59:58AM -0500, gep2(_at_)terabites(_dot_)com wrote

4)  Changing the IP address of the company's NAT router 
could only be done by their ISP/telephone company, since 
the IP address belongs to (and is set by) the phone 
company.

Perhaps your customer had only one? 

Only one NAT router, yes.

Perhaps you weren't aware that was 
possible? 

  [...deletia...]

Certainly XBL doesn't list an entire address block on day one, 

It listed the company's NAT router, and they have only one IP address
(well, two actually... their 'modem' and the NAT router behind it).
But listing either one of those is equivalent.

so I assume that the infected machine was using the companies own
smtp server as a smarthost and that is why the entire company was
inconvinienced. 

No.  It was sending (apparently) using its own SMTP sending engine,
but behind the (single) NAT router and therefore from the Internet
side was indistinguishable (by IP address, anyhow) from any other
E-mails coming from within the entire company, from any of their
inhouse outgoing mail servers.

  Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT 25
TO/FROM ALL MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ???  If your
client had taken that one simple step, none of this would've happened.

But having the original IP address "off the blacklists" is only a
temporary solution, only until (inevitably) one of the company's
machines is eventually infected again, and the whole insane Keystone
Kops episode will inevitably play out again.

  If your client attacks the rest of the internet... again, the rest of
the internet will defend itself... again.  Shit happens; it's your job
as a consultant to anticipate and protect against it.  I repeat, why was
port 25 traffic allowed to/from any but authorized machines?  And while
we're at it, your client's NAT router should also be blocking...

  - all inbound traffic on privileged ports, excepting authorized ports
    to authorized servers

  - all outbound traffic to/from ports 135..139 and 445, and probably a
    few others as well

  - maybe even go so far as to put all desktop PC's on default deny at
    the gateway, excepting HTTP, HTTPS, FTP, and other necessary stuff.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> In linux /sbin/init is Job #1

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg