Re: Linux server as it own firewall

From: Mark Rafn (dagon@dagon.net)
Date: 09/13/01 

Date: Wed, 12 Sep 2001 18:19:02 -0700 (PDT)
From: Mark Rafn <dagon@dagon.net>
Subject: Re: Linux server as it own firewall
Message-ID: <Pine.LNX.4.33L2.0109121800030.7608-100000@deepone>

On Wed, 12 Sep 2001, James Puckett wrote:

> I am considering having the firewall for a Linux server I am building
> running on the server itself using IPTables.

This is better than having no filtering, but not as secure as having a
seperate firewall machine. Only you can decide where on the hassle vs
security curve you want to live.

> what are the implications of having a Linux box on the internet running its
> own firewall? The way I see it, if someone can manage to break into a locked
> down firewall, he will not have too many problems getting into the machines
> behind the firewall.

Not true, unless you're running known insecure software behind the
firewall. Most intrusions are going to be scripted exploits of broken
software, and if you're keeping up on patches for everything, it's likely
that the ability to break the firewall does NOT imply the ability to break
your webserver or other internal machines.

Unless they're on the same machine, and root on your firewall gives you
root on your webserver, that is.

> I also wonder about the
> obvious problem of having extra daemons on the firewall adding to the number
> of exploitable holes on one machine.

This is the key that makes me prefer many layers of "defense in depth".
There are a lot of local exploits that are very hard for someone to use
against me if they can't get a login on the box. Having seperate machines
for seperate purposes makes it harder to leverage multiple exploits.

For instance, say there's a remote exploit in your webserver that lets
someone run commands as the "web" user, and a local exploit in your
mailserver that lets users escalate their access to "bin". If both
services are on the same box, the bad guy gets bin remotely. If they're
on different machines, your website is compromised, but your mail is
untouched. 

--
Mark Rafn    dagon@dagon.net    <http://www.dagon.net/>

Relevant Pages

  • Re: Norton 2005 Int Security, Trend PCcillin or Zone Alarm ???????
    ... > I want security I can run on both machines. ... System overhead is higher than standard firewall applications. ... Symantec products do not remove (uninstall) well. ... Micro Trends PC-Cillan is very good (possibly the best in home network ...
    (alt.computer.security)
  • Re: install
    ... You just need to set up your network correctly. ... start by running the Network Setup Wizard on all machines (see ... Problems sharing files between computers on a network are generally caused ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
    (microsoft.public.windows.vista.installation_setup)
  • Re: Cant Connect To Network Printer
    ... I have sharing turned on. ... start by running the Network Setup Wizard on all machines (see ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ... put all computers in the same Workgroup. ...
    (microsoft.public.windows.vista.print_fax_scan)
  • Re: Two Vista machine on the same network cant see each other.
    ... -Network set to "Private Network" on both machines ... -Public sharing ON on both machines ... a misconfigured firewall or overlooked firewall (including a stateful ... identical user accounts and passwords on all Workgroup machines; ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: Is there a simple published solution?
    ... You need to set up file/printer sharing on both the computers in order to ... Here are general network ... start by running the Network Setup Wizard on all machines (see ... by 1) a misconfigured firewall or overlooked firewall (including a stateful ...
    (microsoft.public.windows.vista.networking_sharing)
Loading