begin Noah Meyerhans quotation: > > You would firewall an ISP's network??? I would switch providers > immediately if my ISP ever did such a thing. No, I would firewall the internal servers off from both the outside world and the customers, opening only the ports each needed to access. You're thinking this means putting a firewall between the modems and world. > As I've said previously today, I am responsible for the security of a > high-profile network (i.e. constantly being scanned and/or actively > attacked) with hundreds of users and *no firewall*. And I am responsible for the security of a segment of FedEx's network. It doesn't get much more high-profile than that. I don't have hundreds of users; I have hundreds of SERVERS. The security of these boxes affects not only 200,000 FedEx employees, but millions of customers, including all FedEx invoices. Now, can we stop comparing dicks, and go back to the argument? :-) BTW, I'm not by any means suggesting the firewall relieves any responsibility for internal security. The biggest problem we have is exactly the one you've suggested; some segment of the network that is controlled by another team leaves something open that they shouldn't, a customer-facing box gets infected with something, and that starts pounding servers. Sometimes it affects servers I don't control, but that my servers rely on, and thus I get angry "what are you going to do about this" questions from management, that I have to answer with "I'm going to go to lunch, and update you when they update me." Nine times out of ten, it's the Windows people. I will not give specific examples, but let's just say the color "red" and the letter "N" have been involved. :-) However, the firewall does allow us to do things that are absolutely necessary on a network this large, and containing this many mission-critical legacy systems; use insecure protocols without exposing them to the network, and without the people who control the internet-facing routers being in the loop for every software installation on every box in the entire network. We're too large for everything to be coordinated at that level. Our having a firewall helps you too; if some idiot were to, hypothetically, allow his servers to become infected with Code Red, our firewall would hypothetically keep his box from being able to scan the Internet for new hosts to infect, thereby causing that traffic to, instead of overloading other networks, overload our own. Hypothetically. :-) Also, when you hear the word "firewall", you may be assuming that means a seperate server that is called "the firewall". Remember that using ipchains or iptables to secure a specific server is implementing a firewall on that server. The very act of securing your specific UNIX systems quite likely involves implementing dozens of firewalls. When somebody sets their routers to block outbound martian packets to prevent IP spoofing, they're implementing a firewall. When you, as you said, block specific ports, that's a firewall with a default "allow" policy. We have lots of firewalls, blocking lots of things from lots of other things. I wish we had more, blocking more things, but I am a medium-sized fish in a damn huge pond. On-topic: a firewall is a useful component of securing a Debian box, or a Debian-based network. A box running Debian can be used to build a particularly effective firewall. To say that a firewall isn't useful because it doesn't prevent EVERYTHING, is the same as saying that keeping your root password a secret isn't useful because it doesn't prevent EVERYTHING, or that seatbelts are useless because you can still die in a car accident. Firewalls are useful. For the uninitiated, they are necessary, even if only a per-box firewall, simply because you may not know HOW to secure every port on your box, and a default-deny firewall puts you in a less insecure position, requiring deliberate action to become less secure, as opposed to deliberate action to become more secure. -- Shawn McMahon | McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong
Attachment:
pgpph3YuR4PV_.pgp
Description: PGP signature