Re: Firewall

To: "Adam William Lydick" <awlydick@bulldog.unca.edu>, "Vineet Kumar" <debian-security@virtual.doorstop.net>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: Firewall
From: "Calvin Chong" <evil@linuxhall.org>
Date: Thu, 23 Aug 2001 12:20:47 +0800
Message-id: <[🔎] 089c01c12b8b$01a20b50$0200a8c0@heian>
References: <[🔎] Pine.OSF.4.31.0108222331090.234065-100000@bulldog.unca.edu>

adam wrote:

~[snip]

> There are a few cases where this is dangerous:
>
> * I am assuming your firewall exists to protect your network, by providing
> packet filtering (potentially inbound AND outbound).
>
> 1) If an attacker learns an internal address, and your internal network is
> unrouted (on a single segment of ethernet), they would be able to get
> packets (unfiltered) into your network, unless your upstream
> router/DSL/Cable modem etc is going ingress filtering.

it's not altogether hard to prevent ip-spoofing, provided that router within
metric 5 is safe.

> 2) If one external (say a web server) is "owned" on your internal network,
> you have no DMZ to protect the rest of your network. The one compromised
> machine has conciderable power in this case, and would be less dangerous
> if trapped inside a DMZ. (potentially using egress filtering, to prevent
> attackers from getting much use out of a compromised machine.)

Not necessarily true. remember, in almost all cases, small networks would
have around the same security for all servers well, that is, if one machine
got
'rooted', you can safely assume that all other server are just 'rooted'
altogether.

a good firewall, together with portsentry, and some obsecurity tricks (e.g
ssh port at port 12576 and whatever suitable), should almost be a fortress
to
most script-kiddies, or moderate crackers.

I find it very hard to crack a machine with a good firewall, and very easy
to
crack all those DMZ settings, since implict trust is too expensive.. :-)

> That said, I use a hub out of my dorm (and ip aliasing, which is neat
> stuff) and don't really have any problems. I also don't have a serious
> firewall setup, if I did, I'd probably use a dual (or probally 3-NIC)
> setup.

neat.

> I haven't been following this thread, so ignore this if it isn't relevent.
> I just thought it was important to mention the risks involved in such a
> setup -- it's not really a "firewall" at all against a determined
> attacker.

a 'determined' attacker would almost 100% devestate a site if it's linux at
all. :-P
remember, linux is not easy to maintain as a secure platform, if you want
99.999% security, go for bsd (huh, when will debian-BSD be out, guys?)

~[snip]

Reply to:

References:
- Re: Firewall
  - From: Adam William Lydick <awlydick@bulldog.unca.edu>

Prev by Date: Re: Firewall
Next by Date: Re: Firewall
Previous by thread: Re: Firewall
Next by thread: Re: Firewall
Index(es):
- Date
- Thread