Re: lighting---hacked!

From: Alan W. Frame (alan.frame@acm.org)
Date: 05/29/02


From: alan.frame@acm.org (Alan W. Frame)
Date: Wed, 29 May 2002 14:30:23 +0100

Simon Matthews <nobody@devnull.none> wrote:

> On Thu, 23 May 2002, Alan W. Frame wrote:
>
> > Simon Matthews <nobody@devnull.none> wrote:
> >
> Alan,
>
> I guess I am starting with the fundamental concept that any machine that
> offers any services is much more likely to be cracked than a firewall.

Very true, and IIRC, it's rare for a linux-based non-service-offering
machine to have vulnerabilities.

> I figure that if I turn off all remote access to my firewall, then packets
> will pass through it, but there nothing running locally that can be used
> to compromise the box itself.

Again true, but you may want to consider a fail-safe scenario[0] - and
where the box and whether it warrants having a 'back-door' rather than
insisting on console access.

> Much of my thinking is also predicated on the assumption that one is
> running a private subnet (non-routable IP addresses) with masquerading and
> source routed packets are rejected everywhere.

For sure, but if you run *many* private subnets, then IMO you can get
more control over things - it's a question of balancing the control
against any (real or percieved) increase in risk.

> Do you really have application level proxies for all outgoing traffic?

In general yes - no IRC/IM/P2P stuff on my networks[1] - or even ftp -
SOAP is the next big worry for me.

rgds, Alan
[0] q.v. Tim's periodic reloading of iptables rules.
[1] 'tis amusing to see all the spyware calls home from the LAN bouncing
off the inside of the interior router...

-- 
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5



Relevant Pages

  • Re: lighting---hacked!
    ... > I figure that if I turn off all remote access to my firewall, ... > running a private subnet with masquerading and ... > source routed packets are rejected everywhere. ... more control over things - it's a question of balancing the control ...
    (comp.os.linux.security)
  • event manager security URGENT PLEASE HELP HELP HELP
    ... it speaks of remote access and security levels, ... control this access. ... >>perform a system restore or reinstall. ...
    (microsoft.public.security)
  • Re: Global modification of user accounts
    ... dialin is allowed. ... "Control access through Remote Access Policy" is selected. ... Microsoft MVP Scripting and ADSI ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows XP Pro VPN and NetGear
    ... Have you tried starting and stopping the Remote Access Connection ... This is typically the cause of client problems, ... >The Routing and Remote Access service was successfully sent a start control. ... >The IPX Traffic Forwarder Driver service was successfully sent a start control. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Dial-in Permissions, who has them?
    ... I don't know of a GUI off hand. ... Windows Group setting in the specify conditions to match section of Remote Access ... You can then control membership to that group to only have those allowed to ...
    (microsoft.public.win2000.security)