Re: securing a network with nfs
From: Derek D. Martin (ddm@mclinux.com)Date: 08/13/01
- Previous message: Peter H. Lemieux: "Responding to auth requests (Was: securing a network with nfs)"
- Maybe in reply to: David Johnson: "securing a network with nfs"
- Next in thread: Derek D. Martin: "Re: securing a network with nfs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Aug 2001 14:22:13 -0400 From: "Derek D. Martin" <ddm@mclinux.com> To: "Welsh, Armand" <Armand.Welsh@sscims.com> Subject: Re: securing a network with nfs Message-ID: <20010813142212.C21831@mclinux.com>
Welsh, Armand said:
> I would deny all traffic by default. If you reject, then you are
> allowing the person on the outside to receive icmp-unreachable replies,
> making port scanning respond much faster. I prefer to run my firewalls
> in stealth mode, where they only respond on ports that they are actually
> using.
But, I will reiterate:
> Denying traffic to/from identd is sort of an un-Internet-friendly
> act... doing so will cause many Internet services (like sendmail, for
> example) to suffer (typically) 30-second timeouts with each connection
> as it waits for a response from the identd server.
And if you reject this one port out of 131,070, how much has it really
increased the speed of your port scan? Additionally, I mentioned
rejecting the port from ALL IPs in your address block, which
camouflages which hosts are actually there or not. This will
encourage attackers to scan hosts which aren't there, wasting far more
time than rejecting the one port will save them...
-- Derek Martin Senior System Administrator Mission Critical Linux martin@MissionCriticalLinux.com
- Previous message: Peter H. Lemieux: "Responding to auth requests (Was: securing a network with nfs)"
- Maybe in reply to: David Johnson: "securing a network with nfs"
- Next in thread: Derek D. Martin: "Re: securing a network with nfs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
