On Thu, Mar 17, 2005 at 01:09:33PM +0100, Marc Haber wrote:
> On Wed, 16 Mar 2005 20:39:48 -0700, Joel Aelwyn <fenton@debian.org>
> wrote:
> >* The first rule of securing a machine exposed to the wilds is "Deny by
> > default, allow by need".
>
> Which is pretty well accomplished by only running needed services. A
> port without a services is an implicit "deny".
>
> >Sorry, but being able to cope with a hostile environment *is* a requirement
> >in today's network, and there isn't any real way around that fact.
>
> I am routinely running systems without any packet filtering capability
> on the network, and they are perfectly able to cope. They just only
> accept network connections for needed services.
And just how full of attempts to root SSH are your logs?
Just because you *can* cope with that (and there are situations where the
fastest patch is to slap an ACL on, say, port 22 until you can fix the real
problem, so that you neither lock yourself out of the box's remote access
nor leave it open to the kiddies) doesn't mean it is the optimal method, or
that DSA should be expected to work without fairly important security tools
when asked to keep a box secure.
Traffic control policy is a major part of layered security.
--
Joel Aelwyn <fenton@debian.org> ,''`.
: :' :
`. `'
`-
Attachment:
signature.asc
Description: Digital signature