Re: three solutions for one Linux box
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Mon, 03 Sep 2007 15:49:00 -0500
On Mon, 03 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
<V_ICi.103747$U01.880642@xxxxxxxxxxxxxxxxxx>, john toynbee wrote:
in your opinion, for one client Linux box, with always-on ADSL (dynamic
address), is more safe:
Define "safe". What are you trying to protect against? Stupid users?
No solution is safe. An intelligently configured system with a user who
is not clicking on websites that say "R00t Me!!!" goes a long way in
preventing problems.
[compton ~]$ netstat -tuan
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 192.168.1.0:* LISTEN
tcp 0 0 0.0.0.0:22 192.168.1.0:* LISTEN
[compton ~]$
This is a *nix box on an internal LAN, and the only thing open is SSH
and FTP, and only from the LAN address range. No firewall needed,
although there is an external firewall allowing NAT access out (but
not in).
1) only software firewall
Kept up to date - that will work fine.
2) software firewall + hardware firewall integrated in an ADSL router
(Netgear, etc, etc.) with never updated firmware
The only "hardware firewall" is a network (Ethernet) cable that has
no wires connected. ALL firewalls have software, and all should be
kept up to date to avoid problems.
3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc.
etc), always updated, in an old computer
What is your Linux distribution supposed to be doing? IPCop is a
cut-down Linux distribution that is intended to operate as a firewall,
and _only_ as a firewall. It has some advanced firewalling features,
including VPNs using IPSec. Devil-Linux is a distribution which boots
and runs completely from CDROM. The configuration can be saved to a
floppy diskette or a USB pen drive. Devil Linux was originally intended
to be a dedicated firewall/router but now Devil-Linux can also be used
as a server for many applications (which is an incredibly stupid idea).
A firewall box is NOT a workstation, and should not be a server - the
principle is the more "stuff" you have running on a firewall, the more
you have to work to configure it safely. If it's not installed, it can
not be exploited.
Is the third solution an excessive one?
In Linux (and other UNIX-like operating systems such as the *BSDs), the
firewall is part of the kernel. Tools like 'iptables', 'ipfw' or the
fancy GUI webpage used in IPCop are used to _configure_ that firewall.
They are NOT the firewall itself.
Firewalls can not protect stupidity. Remember Windoze 3.1? You could
not hack into windoze3.1 over the network (it didn't have a network
capability), yet there were thousands of worms, trojans, viruses and
other mal-ware installed by users who were determined to do stupid
things. Are your users any better?
Old guy
.
- References:
- three solutions for one Linux box
- From: john toynbee
- three solutions for one Linux box
- Prev by Date: Re: Computer grinding toahalt
- Next by Date: Re: Outpost i VISTA
- Previous by thread: Re: three solutions for one Linux box
- Next by thread: Re: generic host process for win 32 services
- Index(es):
Relevant Pages
|
