Re: Linux Hardening

From: Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
Date: Mon, 22 Oct 2007 20:13:37 +0200

On 2007-10-21 Liran Cohen wrote:

Ajai Khattri wrote:

On Wed, 17 Oct 2007, Liran Cohen wrote:

what is the machine's location on your network (LAN\DMZ etc...) what
is the machine role, you should ask yourself some questions before
approaching hardening, I would not put the same effort on a machine
which is located on my LAN as much as I would make sure that DMZ
machines are protected

I believe even machines on internal networks should all run local
firewalls at the very least. There's always some Windoze user using
Outlook and clicking on an email attachment they shouldn't click
on...

And then what? The services you need to be accessible in your LAN will
still be accessible (and thus exploitable) even if you run local packet
filters, because you need them to be accessible.

If any of your computers become infected because of someone clicking on
an attachment, your security concept has already failed several times,
and you should ask yourself some serious questions, including (but not
limited to):

- Why didn't the spam/malware filter on your mailserver catch the
attachment?
- Why didn't the local virus scanner catch the attachment?
- If the attachment is an executable: why did your Software Restriction
Policies (and temp directory settings) allow it to be executed?
- Why was an unneeded service running on the remote host?
- If it was started by a user: why did your Software Restriction
Policies allow that?
- If the exploit was not a 0day: why was the system not up-to-date?

On top of that: running a packet filter always means running additional
code that may contain additional (remotely exploitable) bugs. There
already has been a case (W32/Witty.worm) where systems became vulnerable
*because* they were running a local firewall.

I completely agree providing you have the time and dont have a couple
of dozens of Linux machines to maintain daily, in many cases you have
to make a sensible choice what would be worth more or in other words
asses where the risk is higher and invest most of your efforts there.

Reasonable risk assessments will most likely lead to the conclusion that
host-based packet filters in the LAN are not worth the effort.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

References:
- Re: Linux Hardening
  - From: Liran Cohen
- Re: Linux Hardening
  - From: Liran Cohen

Prev by Date: Re: Linux Hardening
Next by Date: Re: Linux Hardening
Previous by thread: Re: Linux Hardening
Next by thread: Re: Linux Hardening
Index(es):
- Date
- Thread

Relevant Pages

Re: Agnitum Anti-Spware False Positive???
... I still have Outpost on my machines, partly because I have a lifetime ... I don't even need a packet filter for that. ... For purer curiosity than simple diagnostics, why don't you take a look ... There is no need to stop any nasty inbound. ...
(comp.security.firewalls)
Re: Help with long term network problem
... Symptoms were not finding mapped network drives or shared printer on ... DATA by other machines on the LAN. ... dispensing with the dedicated server and just using on as file ...
(microsoft.public.windowsxp.network_web)
Re: Home computer network problem
... I tried rerunning the network setup wizard but when I applied LAN setting it finished the wizard. ... Still if anyone feels they can offer more simple instructions to allow me to fix this & so share folders over my home network I would again be grateful for your help & will give it another try! ... I don't recommend either McAfee or Norton so don't have those programs running on any machines; therefore, I can't check the exact location of those configuration options for you. ...
(microsoft.public.windowsxp.network_web)
Re: DSL Upgrade
... Discussions so far appear to be centered around hubs but since true hubs are just a means of connecting various machines on a LAN with no nat abilities they will not work in this case without the public id's mentioned. ... A router, Linksys BEFSR11, 1 port in and 1 out to your cable/dsl modem, or BEFSR41 with 4 ports, for your LAN computers, and 1 port out to your cable/dsl modem which will allow connection to 4 machines. ... If you connect 1 port for a LAN machine to a larger switch or hub more machines can be handled. ...
(microsoft.public.win2000.networking)
Re: iptables firewall script for linux
... a canned firewall script will mostly protect me from ... I think of machines on my lan as workstations ... I decided to read at least 10 HOWTOs a week. ...
(comp.security.firewalls)