[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hurd does NOT need /hurd



begin  Thomas Bushnell, BSG  quotation:

> I have never seen a firewall administered in a way which actually
> improved security.  For example, where I am, there is a firewall that
> blocks incoming TCP port 23 connections, on the grounds that this
> improves security.  Of course, it does no such thing; telnetd can run
> on any port you like.

Does your network's firewall really only restrict port 23? I agree that
that would be a useless firewall. The firewall setups I've usually run
into are more like, "Let NOTHING in except for ports 80 and 443 to the
web server (and only the web server), and ports 25 and 110 to the mail
server (and only the mail server)." This has some value in enhancing
security; there are only three machines vulnerable to direct attack (the
web and mail servers, and the firewall itself). So as long as you pay
attention to the security of those machines, including all web-based
services, the rest of your network should be reasonably safe, even if
some machines are running insecure services (though you certainly don't
want to encourage that in any case) or are behind on their security
patches.

I've even seen some firewalls set up to block _outbound_ connections
except on authorized ports (usually 80 and 443, maybe 23 and/or 110 as
well). At my previous job, I had to specifically request a firewall hole
to allow me to contact an external NTP server (since the company didn't
have one). I suppose the theory here is that if a trojan or network worm
somehow got into the company, it wouldn't be able to phone home or
spread beyond the LAN. Still, I thought it was excessive, particularly
since web servers on non-standard ports aren't exactly uncommon.

Craig

Attachment: pgpP3_j6MuQjE.pgp
Description: PGP signature


Reply to: