Re: RMI thru Internet
EJP wrote:
Nigel Wade wrote:
This would tend to indicate the actions of a poorly
configured firewall (i.e. dropping rather than rejecting packets).
Not necessarily. There's an argument that says that a firewall that's
really trying to protect an inner resource should behave as though the
resource doesn't even exist, as in this case.
It's a bad argument.
If a firewall on a web server drops packets the firewall is *not* behaving as if
the web server did not exist. The idea that "stealth" mode is somehow magically
proving extra security for your system is wrong and is most often propagated by
misinformed web sites, the most infamous being GRCs website.
If I attempt to verify the existence of a system and the packets are dropped I
can be fairly certain that something is hiding the system. If the system simply
didn't exist I would almost certainly receive an ICMP host unreachable from the
upstream router. Doing basic route tracing to find where the packets are
dropped may tell me more. If the packets are dropped at a border firewall I
can't discover much. However, if they are dropped at the host by a software
firewall I know the system exists, that it's up and running and is "protected"
by a firewall which was most likely setup by someone who doesn't really
understand what they are doing - i.e. a target well worth further
investigation.
Configuring the host firewall to return ICMP host unreachable, or RST, would
provide exactly the same level of protection, would be much more polite and
would not break standard networking protocols.
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555