Re: lighting---hacked!

From: Alan W. Frame (alan.frame@acm.org)
Date: 05/29/02


From: alan.frame@acm.org (Alan W. Frame)
Date: Wed, 29 May 2002 14:30:23 +0100

Simon Matthews <nobody@devnull.none> wrote:

> On Thu, 23 May 2002, Alan W. Frame wrote:
>
> > Simon Matthews <nobody@devnull.none> wrote:
> >
> Alan,
>
> I guess I am starting with the fundamental concept that any machine that
> offers any services is much more likely to be cracked than a firewall.

Very true, and IIRC, it's rare for a linux-based non-service-offering
machine to have vulnerabilities.

> I figure that if I turn off all remote access to my firewall, then packets
> will pass through it, but there nothing running locally that can be used
> to compromise the box itself.

Again true, but you may want to consider a fail-safe scenario[0] - and
where the box and whether it warrants having a 'back-door' rather than
insisting on console access.

> Much of my thinking is also predicated on the assumption that one is
> running a private subnet (non-routable IP addresses) with masquerading and
> source routed packets are rejected everywhere.

For sure, but if you run *many* private subnets, then IMO you can get
more control over things - it's a question of balancing the control
against any (real or percieved) increase in risk.

> Do you really have application level proxies for all outgoing traffic?

In general yes - no IRC/IM/P2P stuff on my networks[1] - or even ftp -
SOAP is the next big worry for me.

rgds, Alan
[0] q.v. Tim's periodic reloading of iptables rules.
[1] 'tis amusing to see all the spyware calls home from the LAN bouncing
off the inside of the interior router...

-- 
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5