Re: My machine was hacked - possibly via sshd? - fw
On Mon, 28 Mar 2005, Noah Meyerhans wrote:
yup .. :-)
> It should be noted that it is entirely possible, even on today's
> internet, to run a large network completely exposed to the internet. It
> always makes me sad when I hear people talking as though you simply
> *must* have a firewall, or else you're endangering yourself, your users,
> and the internet community as a whole.
i think it separates the i think i can protect the machines without
firewalls from those that depend on the firewall to protect them
i'm one of those that assume the firewall is not present anywhere,
and i like to see how they react and would protect their data or machine
or other peoples machines/data from being attacked
i assume all machines is a sleeper with crackers and trojans
and worst case data attacks being the equivalent of "rm -rf /"
than work out a "computer and data security policy" and a "to do list"
for the time/budget allotted by the paying customers or home users
- not everything can be done in all cases ... pcik and choose
what they want done ... right or wrong?? .. but cover your
butt by explaining telnet/ftp/pop3 is the worst of the bunch
> You can run with "default allow" policy, and do it safely.
or deny everything ... and allow what you explicitly allow
> Firewalls cause two major problems. First of
> all, they lead to a false sense of security.
more importantly ...
is it a commercial firewall like say pix, checkpoint ??
or is it a iptables on a generic debian/redhat box with all the
known exploitable vulnerabilities tht may or may not have been patched
- an ipatables with debian is no much different than
attacking debian with apache ... or debian with exim ..
or any other "application"
- the firewall should be 10x harder to break into it
than your mail server or web server or dns server or
hme server or special function servers
> They create a "soft
> underbelly" with a hard shell. If you can get through the shell, who
> knows what kind of weak trust relationships, unpatched security
> vulnerabilities, and insecure protocols you're going to find.
disappointingly, it's very very very common to see there is zero security
behind the firewall ... and that the firewall is just a generic box
and usually not patched
> Second,
> it is a royal PITA for users who find that their applications don't work
> due to strict firewall policies.
that will always be a problem ...
even if a firewall is not there to interfere, a hardened server and
network can still prevent some work from being done the "simple way"
> These users, or the developers of
> their software, invariably will find some way to get their traffic
> through.
very common too ... and worst to allow that work to be uploaded
from the insecure "home" once a month but the vpn is on 24x7
> Witness all the stuff that gets tunneled over HTTP or ssh
> these days.
i disallow all that ... if its my nickel and that i have to fix it
at 3am while the culprits get to go on vacation and sleep etc
while we have to clean up after a minor/big incident
> Traffic will flow around your firewall, one way or another.
yup.. always does ...
> Secure hosts, services, and authentication mechanisms, as well as sound
> policies, can make an open network at least as secure as one that is
> tightly firewalled.
don't forget backups ....
and the good part ..even if one machine is cracked, it's probably
an isolated island and self contained, whereas a cracked firewall
will usually have open access to anything and everything including
other peoples network that they can access bypassing their firewalls
c ya
alvin
Reply to: