RE: is iptables enough?

To: "'Stefan Neufeind'" <stefan@neufeind.net>, Ian Garrison <bitstream@technoendo.net>
Cc: debian-security@lists.debian.org
Subject: RE: is iptables enough?
From: "Jones, Steven" <sjones08@eds.com>
Date: Thu, 20 Mar 2003 10:49:10 +1200
Message-id: <[🔎] 3CE8E66CCD5A9E44A31436D8774C89E901111E37@nzlsm201.nz.eds.com>

I run 2 cronjobs to apt update each machine every night and email me the
updates, if I'm happy I login and do the upgrade. 

For protecting a single machine I have difficulty justifying a seperate
firewall machine, I cannot see it achieving much unless the port forwarded
ports are proxied, ie no direct connection from outside to the server is
allowed. If its protecting multiple machines in a DMZ then yes it has value,
however I run iptables on each machine in the DMZ as well such that another
machine in the DMZ cannot get to another.

I agree with the idea of having more than 1 firewall, using a different
firewall system giving defence in depth. Even an ACL on a CISCO router
before the firewall is a start. There have been cases of firewall 1 having
security holes and being directly connected to the net, yet convincing
others to allow me to put a linux box running simple iptables in front has
fallen on deaf ears.

I suppose it depends on how paranoid you wish to be, or if you prefer "once
stung twice shy". If you have not been stung then there are other
distractions taking your attention.

regards

Steven

-----Original Message-----
From: Stefan Neufeind [mailto:stefan@neufeind.net]
Sent: Thursday, 20 March 2003 10:22 
To: Ian Garrison
Cc: debian-security@lists.debian.org
Subject: Re: is iptables enough?

What I find astonishing: Let's say you are running a webserver, maybe 
mailserver and a DNS on a server. What rules do you want to apply to 
the packets etc.?

I would suggest to keep the open ports restricted, check for all 
current updates regularly (subscribe to several mailinglists etc.) 
and I guess that would be far enough. What other things does a 
firewall have to offer? It's good if you want to protect e.g. a 
network but for a single server I doubt it's that interesting or 
useful.

What do others think?

On 19 Mar 2003 at 16:07, Ian Garrison wrote:

>    Imo iptables is a reasonably good stateful firewall and is fine in
>    most
> cases.  However, a very wise person once said that the ideal setup is
> to layer more than one implementation of packet filter and firewall
> between the wild and a host/network you wish to protect.  Ideally
> implementations on diverse platforms.
> 
>    One example for consideration is a cisco packet filter (acls) that
>    may
> allowed fragmented packets to traverse its filters, but once passed on
> to an iptables ruleset might get discarded because iptables was
> written seperately from cisco's implementation and happens to catch
> this case and a few other cases that were missed.  Make your network
> an onion if you can engineer a method to easily manage your rules.
> 
>    That said, I use only iptables to filter my home network and either
>    it
> is doing a great job or nobody is interested in attacking my host
> (likely both).  For me, it does the job as nothing is revenue
> generating for myself or others -- its important, but not critical. 
> If I had a client that wanted to sell stuff on the web and handling
> ccard ordering of a product, as well as all their corporate email,
> then I would be more thoughtful of additional measures to protect the
> network.  In my work environment every so often developers or others
> turn off our iptables rulesets without telling us, as it is easy (one
> little command).  In such cases the cisco packet filter will offer
> some protection and disabling such filters is more work than our
> developers care to struggle against.
> 
>    Iptables/ipf and any other stateful firewall that attempts to be a
> modern contender in the firewalling ring is likely 'good enough'.  My
> point is that while I like iptables, it and every other filter out
> there will fall subject to some method of circumvention/exploitation
> at some point, and that how much effort you put into hardening your
> network is up to you.  Your question almost seems to be "is iptables
> developed enough to compete with commercial solutions", to which I
> would say "yes, if the person deploying the rules is experienced
> enough to write a solid set of rules".  If I was you, I would be
> satisfied with iptables and the hardware you have selected -- but I am
> not you, and this decision is not mine to make.  No matter where you
> set the bar there will still be more secure solutions.  "secure
> enough" is all a state of paranoia and budget.  :)

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
Next by Date: fw distros - Re: is iptables enough? (fwd)
Previous by thread: Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
Next by thread: Re: Re: is iptables enough?
Index(es):
- Date
- Thread