On Mon, May 20, 2002 at 05:13:55PM -0400, Michael Stone wrote:
> On Tue, May 21, 2002 at 06:12:00AM +1000, Anthony Towns wrote:
> > On Mon, May 20, 2002 at 12:13:41PM -0700, Thomas Bushnell, BSG wrote:
> > > 1. Debian does not have firewalling by default, so if firewalling is
> > > necessary for security, then it is not secure by default.
> > It does: it has spoof protection enabled and forwarding disabled by
> > default.
> That's not firewalling.
It's the sort of stuff I'm referring to, though: broad protection from
network attacks by randomly ignoring things.
> For all we know, hurd might not even be able to
> forward packages. </joke>
(packets)
It's possible, and it might mitigate it somewhat. Firewalling tools can
also stop you from having people try to hax0r your system by spoofing
packets from 127.0.0.1 and sending them across ppp0, or let you run new
servers so that they're only available from localhost if you aren't sure
whether it's worth investing the time in it to make sure it's useful, or
whatever.
> > In any event, default behaviour isn't the issue: it's whether
> > or not you have any real control over your network interfaces.
> I'm sure hurd has fundamental control: if they don't want someone
> connecting to a hurd box, they won't run any network servers.
If you're going to take that attitude you might as well tell them to
turn the computer off.
> > > 2. Firewalling is not actually an asset in network security; the
> > > notion that it is is misguided and thoroughgoingly erroneous.
> > That's the most bizarre statement I've seen for at least an hour.
> It's also correct, from a certain point of view. </obi-wan> There is a
> school of thought that firewalls are only useful if you are trying to
> protect network services that you can't secure properly.
Which is quite accurate. We can't secure our services properly. If we
could, we would have, and we wouldn't be wasting time worrying about
making sure we can do security updates in a timely manner.
> More importantly, for this school of thought, is the fact
> that firewalls offer a false sense of security.
Actually, they offer a much *stronger* sense of security. It's easier
to say "Don't allow any traffic from this device to port 80" with a
system-wide firewalling tool and be confident that nothing's going to
get in, than to do the same thing from the application.
Yes, they can break and if they do you suddenly aren't protected anymore.
That shouldn't come as a surprise to anyone.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``BAM! Science triumphs again!''
-- http://www.angryflower.com/vegeta.gif
Attachment:
pgpm3GjNlEbrS.pgp
Description: PGP signature