Shouldn't get too smug about this because the firewall which shipped Shipped with Windows 2000 and Windows XP contain an implicit rule thatĪllows all TCP or UDP traffic from port 88 (Kerberos). Numerous products have shipped with these insecure Overworked network administrators are not the only ones to fall Short-term stop-gap measure until they can implement a more secure In other cases, administrators consider this a They often assume that no attacker would notice andĮxploit such firewall holes. Have fallen into the trap of simply allowing incoming traffic from
Noting thatĭNS replies come from port 53 and active FTP from port 20, many administrators Unfortunately there are also easier, insecure solutions. Secure solutions to these problems exist, often in the form ofĪpplication-level proxies or protocol-parsing firewall modules. The remote server tries to establish a connection back to the client In particular, DNS may be brokenīecause the UDP DNS replies from external servers can no longer enter Only to be flooded with complains from ungrateful users whoseĪpplications stopped working.
An administrator will set up a shiny new firewall, One surprisingly common misconfiguration is to trust trafficīased only on the source port number.