On Tuesday, August 27, 2019 4:37:24 AM MST David Kaufmann wrote:
Both option have their disadvantages - in the case of
"maintainer opens
ports" the ports are open as soon as the package gets installed, and
software not run/installed via package manager will give the impression
of "just not working".
Why in the world would somebody from the security team recommend opening a
port on the firewall as the software is installed, before it's even
configured?
Also a firewall is not that much protection as it looks like -
imagine
any port (above 1024) which was opened on the firewall (either by
maintainer or user), but where no program is listening on. The
additional barrier to run e.g. a c&c server on that machine would just
be an additional portscan in before deploying the malware.
Just running a firewall reduces the attack vector needed to deploy potential
malware to begin with.
As the issue of "users piping stuff through wget/curl to
sh/bash" also
was mentioned:
In such a case any firewall won't help, as outbound connection usually
are not filtered - also those tend to run on port 80/443 anyways, which
usually is open even in heavily filtered networks.
Feel free to read that as "users shooting themselves in the foot", it was one
example of running a potentially malicious program by accident that I figured
everyone here would understand.
--
John M. Harris, Jr. <johnmh(a)splentity.com>
Splentity
https://splentity.com/