begin Thomas Bushnell, BSG quotation: > I have never seen a firewall administered in a way which actually > improved security. For example, where I am, there is a firewall that > blocks incoming TCP port 23 connections, on the grounds that this > improves security. Of course, it does no such thing; telnetd can run > on any port you like. Does your network's firewall really only restrict port 23? I agree that that would be a useless firewall. The firewall setups I've usually run into are more like, "Let NOTHING in except for ports 80 and 443 to the web server (and only the web server), and ports 25 and 110 to the mail server (and only the mail server)." This has some value in enhancing security; there are only three machines vulnerable to direct attack (the web and mail servers, and the firewall itself). So as long as you pay attention to the security of those machines, including all web-based services, the rest of your network should be reasonably safe, even if some machines are running insecure services (though you certainly don't want to encourage that in any case) or are behind on their security patches. I've even seen some firewalls set up to block _outbound_ connections except on authorized ports (usually 80 and 443, maybe 23 and/or 110 as well). At my previous job, I had to specifically request a firewall hole to allow me to contact an external NTP server (since the company didn't have one). I suppose the theory here is that if a trojan or network worm somehow got into the company, it wouldn't be able to phone home or spread beyond the LAN. Still, I thought it was excessive, particularly since web servers on non-standard ports aren't exactly uncommon. Craig
Attachment:
pgpoK3VsPgsHz.pgp
Description: PGP signature