Re: OT-- Low power, quiet least expensive firewall option
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Wed, 27 Dec 2006 14:05:02 -0600
On Wed, 27 Dec 2006, in the Usenet newsgroup comp.security.firewalls, in article
<459226AB.95C78040@xxxxxxxxxxxx>, OSbandito wrote:
Moe, This is a marginally related question. My only experience with
firewalls has been the use of a router (basic functions) and a software
firewall to augment. Please give me your opinion on using this simple
combination to protect and administer a Freenet (or similar) server.
My personal preference would be for a simple box connected to the
Internet side of things that only permits those connections INBOUND
that the administrator wants to allow. If you are providing a web
server, then someone connecting to your Internet address should ONLY
be able to connect to port 80 and/or 443 or where ever you are running
that server. There's no need for them to connect to your gopher server,
or finger, or telnet, or SSH or any other port, period. You can do
this connecting the server directly, (and allowing _your_ administrative
connection via a different interface), depending on your skill level.
Do you think this would be adequate or would I be better off learning
how to build a proper firewall? ~Thx
Two things - know how to build a proper _server_ (which mean one that
has the needed applications and no more than that), _and_ know how to
build the firewall. The first point is important - if it's not
installed, it can't be exploited. Our "public" servers all run from
'read-only' media as an added precaution, and any volatile data is mounted
'noexec'. It's much harder to exploit that way. Anything uploaded from
"outside" gets dropped into a directory with d-w-rwx--- permissions - the
'w' to allow the data to be written by a user with NO other permissions
anywhere else on the file system, and the 'rwx' to allow the data to be
removed by a cron job by a group with only one user and transferred to
a quarantine area where outsiders have no access. The 'un-trusted' user
(often 'guest' but I've also seen them named 'intruder' or 'hostile')
only belongs to a separate group that is otherwise unused. This avoids
access through the 'others' permissions (-------rwx) that is granted if
you are not the owner or a member of the group.
note: will likely run Solaris
For the server, this would be fine. Use the O/S you are comfortable with,
the one that you can secure. As a combined server and firewall, I'd be
a little less enthused, but that's mainly because I don't "know" the
firewall capabilities as well as I'd want to. For a firewall alone, I'd
usually recommend an O/S designed for this function rather than a general
purpose design. I mentioned using Linux on my home firewall, and it's a
stripped version using a local compile. I'm using that simply because I
have experience with that O/S and feel comfortable with it. I would
never consider using an 'out-of-box' 'popular' distribution simply
because that 'out-of-box' install has much unneeded stuff/features/etc.
Old guy
.
- References:
- Low power, quiet least expensive firewall option
- From: justin.seiferth@xxxxxxxxx
- Re: Low power, quiet least expensive firewall option
- From: Moe Trin
- Low power, quiet least expensive firewall option
- Prev by Date: Re: Attack Detected
- Next by Date: Re: OT-- Low power, quiet least expensive firewall option
- Previous by thread: Re: Low power, quiet least expensive firewall option
- Next by thread: Re: OT-- Low power, quiet least expensive firewall option
- Index(es):
Relevant Pages
|
