Re: being hacked? - hatches/hardening

To: debian-user@lists.debian.org
Subject: Re: being hacked? - hatches/hardening
From: Arnt Karlsen <arnt@c2i.net>
Date: Thu, 5 Feb 2004 02:59:49 +0100
Message-id: <[🔎] 20040205025949.687dac10.arnt@c2i.net>
In-reply-to: <[🔎] Pine.LNX.3.96.1040204160138.9107A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 075e01c3eb52$81484a70$8100a8c0@punk> <[🔎] Pine.LNX.3.96.1040204160138.9107A-100000@Maggie.Linux-Consulting.com>

On Wed, 4 Feb 2004 16:08:57 -0800 (PST), 
Alvin Oga <aoga@ns.Linux-Consulting.com> wrote in message 
<[🔎] Pine.LNX.3.96.1040204160138.9107A-100000@Maggie.Linux-Consulting.com>:

> 
> hi ya jens
> 
> On Wed, 4 Feb 2004, Jens Simmoleit wrote:
> 
> > The best thing to tighten up your network is a firewall...........
> > try this one I use it here for customers. It's free it's (not really
> > :-) fun and it's reliable, never had any trouble with it. Easy to
> > maintain, just great........... works with ip tables
> 
> yes and no ... 
> 
> i think that most people do not treat a fw any differently than a dns,
> web, mail, insecure box

..those are not _in_ ipcop, they _can_ be put in its DMZ for public use,
or in the lan for internal-only use.  Details in http://ipcop.org/

> what is the difference between each server ??
> 	dns ------ runs [chroot] bind
> 	mail ----- runs your mta ( sendmail, exim, qmail, .. )
> 	pop ------ runs secure in.popd
> 	web ------ runs apache
> 	firewall - runs iptables
> 	...
> 
> 
> 	same os, same gcc, same xxx apps, same yyy libs, ....

..no compiler in ipcop.  ;-)
 
> all other apps and exploits and vulnerabilities are the same with
> or without the firewall .. 

..true.  And all easy prey with everything on the same box.
> 
> 	what good is the firewall ??? it allows the cracker in
> 	from the cracked home pc or sniffed wireless traffic
> 
> the "computer/resources security policy" is 10x more important than a
> firewall ??
> 
> my stance is ... "assume they have root access" .. now protect what
> you want to protect in that supposedly secure network that they not
> supposed to be watching/sniffing/cracking into

..so look boring, pretend to be a wintendo or something boring but
normal, give'm one box at the time, and prep back-ups, tarpits and 
jails are optional, or make'm "Yahoo, got it! What? Fuck, its gone!".

> weigh all that against the costs of loss of data ... or loss
> or productivity or people not being able to work for 2-3 days
> while forensics is being done

..is _why_ you want it all on separate boxes.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Reply to:

References:
- Re: being hacked? - hatches/hardening
  - From: "Jens Simmoleit" <simmel@anymotion.de>
- Re: being hacked? - hatches/hardening
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Re: cdrecord priority
Next by Date: motion: when exactly does it make an mpeg?
Previous by thread: Re: being hacked? - hatches/hardening
Next by thread: Re: being hacked? - hatches/hardening
Index(es):
- Date
- Thread