Re: secure installation
On Thu, August 16, 2007 16:56, Russ Allbery wrote:
> "R. W. Rodolico" <firstname.lastname@example.org> writes:
>> For workstations, I tend to use Kubuntu. On that, yes, I want a
>> firewall, and since I recommend it to anyone who asks (and even have my
>> sales staff using it), a default firewall is a Good Thing.
> The part that concerns me about installing a firewall by default is that
> people seem to put irrational trust in a firewall and use it as an excuse
> to not address other security issues. The *best* thing to do is to
> design secure services that either don't randomly listen to the network or
> that deal with network traffic in a secure fashion, and I'd really like to
> maintain Debian's emphasis there. Installing a firewall, which often
> does little or nothing, strikes me as cargo cult security, and cargo cult
> security can be worse than useless.
> A well-designed and reviewed set of iptables rules provides additional
> defense in depth and we do deploy iptables on all of our servers and manage
> those rules as part of their Puppet model, but it's not something that you
> can tell an average user to just apt-get install and have work in a way
> that offers any real security, IMO.
At this point, I disagree. Unfortunately, I have to point to some of the
user oriented firewalls you get for windoze (which, to my knowledge, Linux
does not have). When they are installed, the shut down basically
everything incoming, and all but a few standard outgoing ports (http,
smtp, pop and imap). When an application tries to go out of another port,
a pop-up informs the user and they can choose to accept, accept or reject,
with a "forever" modifier on both, and the firewall changes its rules
For un-informed users, this is a good thing. It is by no means perfect,
but it is just one more level between the un-informed user and the big bad
world that is the 'net.
But, even without the interaction of some of the Windows firewalls, just
installing one of the firewall builders available on the workstation
distro's at least gives them some protection.
> Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
R. W. "Rod" Rodolico
Daily Data, Inc.
Dallas TX 75214-0465
This is a private e-mail address for use only by clients of Daily Data.
Please do not forward or give out this e-mail address to anyone.