[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

Adam McKenna <adam@debian.org> wrote:
> I believe the word I used was "adequate", not "fully".  It is adequate as a
> basic level of security, if configured properly.  This level of security is
> acceptable for many hosts.  (For instance, when I received my Debian username
> and password, I don't remember being asked which hosts I wanted to be able to
> SSH in from.)

Sorry, I've paraphrased you rather badly. The word *was* "adequate". I
apologise, but I still disagree with you.

> Firewalls are nice, but anyone who thinks that just because they put a
> firewall in front of something that it is now "secure", needs to get a clue.

I don't believe that just because there's a firewall in place then a site is
secure (despite what at least one other on this list seems to think). It's
only a part of making a site secure, but it's a big part.

And yes, when I say "secure", I really mean "secure enough for my purposes".
I'm not hiding any military secrets or anything. Just commercial

> No, I'm just not a zealot.  I believe that certain security measures are
> warranted in certain situations, and that each situation must be evaluated
> independently.  You (AFAICT) believe that maximum security is warranted in
> all situations, no matter the cost.

Not at all. If I did, I wouldn't have my workstation connected to the 'net.

However, I *do* have a two-level NAT/IP Masq/IP forwarding firewall setup
here, with only three machines directly connected to the 'net (plus a
router), and many others behind it. It wasn't so hard to set up, and it
helps protect a bunch of other machines that can't otherwise be protected
(Windows boxes, ugh). Without that basic level of protection, I'd expect to
have to clean up after a breach every week or two.
Sam Couter          |   Internet Engineer   |   http://www.topic.com.au/
sam@topic.com.au    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgp3lKFOpFHiz.pgp
Description: PGP signature

Reply to: