From owner-freebsd-security Thu Sep 20 15:51:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 2215437B413 for ; Thu, 20 Sep 2001 15:51:54 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id QAA87705; Thu, 20 Sep 2001 16:50:26 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Thu, 20 Sep 2001 16:50:26 -0600 (CST) From: Ryan Thompson To: David Kirchner Cc: Krzysztof Zaraska , security@FreeBSD.ORG Subject: Re: NIMDA Virus (OT) In-Reply-To: <20010920143246.O85958-100000@localhost> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org David Kirchner wrote to Krzysztof Zaraska: > On Fri, 21 Sep 2001, Krzysztof Zaraska wrote: > > > Some people say that web server(s) should not be allowed to initiate any > > outbound connections (and especially to port 80) not necessary for normal > > operations, so if they have all servers on a separate subnet (what makes > > sense) they can just prohibit outbound HTTP from that network only. So > > setting up a proxy is not necessary. > > Me, I just prefer to patch the holes instead of hiding behind filters. ;-) Amen to that. Even better, though, is patching the holes AND hiding behind filters ;-) (i.e., two components of the much talked about layered approach to security). - Ryan -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message