Re: Firewall on server itself
From: Mitchell Rowton (mitchell_at_attackprevention.com)
Date: 06/26/03
- Previous message: SMiller_at_unimin.com: "Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
- Maybe in reply to: Anish Basu: "Firewall on server itself"
- Next in thread: Craig Janssen: "Re: Firewall on server itself"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 10:28:40 -0600 To: Ansgar Wiechers <bugtraq@planetcobalt.net>, security-basics@securityfocus.com
I agree that any device that has more stringent access requirements
should be placed in an environment that will allow more granular
control of the authorization. (=put server in DMZ)
However adding iptables would be consistent with industry practices
Defense In Depth
Enclave Boundary Defense (not just perimeter defense)
M&M Security (hard on outside, soft and squishy on inside)
Perhaps the iptables could defend against an intruder who is already
through the firewall because of many reasons:
Insider threat
Firewall vender specific vulnerabilities
Maybe you could just make device specific rules more restrictive that
the firewall that covers ever device.
I’m sure there are other good reasons but in general any important
device should have its own access controls (in my opinion)
Mitchell
> On 2003-06-25 Anish Basu wrote:
> > I am trying to set up a secure web server which will already be
> > protected by a dedicated harware firewall. The hardware firewall
will
> > be configured to protect the web server as well other computers on
the
> > network. The web server will be running Red Hat 9.0. Is there any
> > reason to install and configure firewall software such as IPTables
on
> > the web server itself?
>
> I don't think that would make sense. If an intruder could exploit the
> web server to gain root privileges, why would he stop from changing
the
> iptables rules? If you don't trust your firewall, throw it away and
get
> some other.
> IMO it would make more sense to move the web server into a DMZ
instead.
>
> > Are there any advantaqes or disadvantages to having two firewalls
set
> > up this way?
>
> You will have to maintain two rulesets, which will make your firewall
> more complex and therefore more susceptible to security breaches.
IMHO.
>
> Regards
> Ansgar Wiechers
>
> ----------------------------------------------------------------------
-----
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote
access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------
------
>
>
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: SMiller_at_unimin.com: "Re: AW: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 6 18"
- Maybe in reply to: Anish Basu: "Firewall on server itself"
- Next in thread: Craig Janssen: "Re: Firewall on server itself"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
