Re: is iptables enough?

To: Keegan Quinn <kquinn@respond2.com>
Cc: debian-security@lists.debian.org
Subject: Re: is iptables enough?
From: Ian Garrison <bitstream@technoendo.net>
Date: Thu, 20 Mar 2003 15:25:01 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.50.0303201449430.21053-100000@athena.technoendo.net>
In-reply-to: <[🔎] 200303200941.47179.kquinn@respond2.com>
References: <[🔎] F98uSRbh1brG7l4TvOo00012cb0@hotmail.com> <a05200f00ba9e6f203add@[192.168.63.11]> <[🔎] Pine.LNX.4.50.0303191523570.12432-100000@athena.technoendo.net> <[🔎] 200303200941.47179.kquinn@respond2.com>

   Definately true, and worth mentioning.  There is also the point that
several of the punier devices that one might thrust into the horde of
angry packets might have crummy stacks or be vulnerable to the silliest of
things (especially in the case of consumer grade equipment).  If the
hardware is already there (cpe with filtering capabilities, routers, etc)
then I'd advise people to consider the pro's of security vs cons of
managing it.  Deciding between a spof (router/cpe and likely a couple
ethernet cables) and a firewall that is more disrespectful to unwanted
packets is a tough call for me in the workplace.  If the router/cpe can
take a beating then I might live with it and sleep a little better at
night -- though such decisions take testing and careful consideration.

   I'm too paranoid to say on this list before the masses that "iptables
is enough" in the workplace.  For others it may be enough, and that is
fine.  There is a bigger picture to be seen for those who care, and my
apologies if my response is steering this discussion further off topic
than the original poster was seeking.  I don't intend to suggest that
iptables is inferiour, or that if you use iptables as your only means of
filtering you suck.

   I'll make an effort to be more on-topic in the future.  A few things
touched a nerve and I probably should have just clammed up and rolled with
them.  Something being "good enough" just grabbed me and squeezed in the
wrong places.  :)

-ian

On Thu, 20 Mar 2003, Keegan Quinn wrote:

> On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote:
> >    Imo iptables is a reasonably good stateful firewall and is fine in most
> > cases.  However, a very wise person once said that the ideal setup is to
> > layer more than one implementation of packet filter and firewall between
> > the wild and a host/network you wish to protect.  Ideally implementations
> > on diverse platforms.
>
> Just remember, that when you do this, you are introducing an additional point
> of failure for each device in the chain.  Some people like to keep these at a
> minimum, especially in the 'revenue-generating' environments you describe.
>
>  - Keegan
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
>

Reply to:

References:
- Re: ptrace vulnerability?
  - From: "Steve Meyer" <steve11523@hotmail.com>
- is iptables enough?
  - From: Jones <jones_mb@yahoo.com>
- Re: is iptables enough?
  - From: Ian Garrison <bitstream@technoendo.net>
- Re: is iptables enough?
  - From: Keegan Quinn <kquinn@respond2.com>

Prev by Date: Public Alert
Next by Date: Re: iptables help to forward ports please
Previous by thread: Re: is iptables enough?
Next by thread: Re: is iptables enough?
Index(es):
- Date
- Thread