Re: being hacked? - hatches/hardening
hi ya jens
On Wed, 4 Feb 2004, Jens Simmoleit wrote:
> The best thing to tighten up your network is a firewall........... try this
> one I use it here for customers. It's free it's (not really :-) fun and it's
> reliable, never had any trouble with it. Easy to maintain, just
> great........... works with ip tables
yes and no ...
i think that most people do not treat a fw any differently than a dns,
web, mail, insecure box
what is the difference between each server ??
dns ------ runs [chroot] bind
mail ----- runs your mta ( sendmail, exim, qmail, .. )
pop ------ runs secure in.popd
web ------ runs apache
firewall - runs iptables
same os, same gcc, same xxx apps, same yyy libs, ....
all other apps and exploits and vulnerabilities are the same with
or without the firewall ..
biggest problems will be allowing wireless, using dhcp,
untested bare-metal backups, allowing vpn from insecure home
networks in secure corp data lan, ...
what good is the firewall ??? it allows the cracker in
from the cracked home pc or sniffed wireless traffic
the "computer/resources security policy" is 10x more important than a
my stance is ... "assume they have root access" .. now protect what you
want to protect in that supposedly secure network that they not
supposed to be watching/sniffing/cracking into
weigh all that against the costs of loss of data ... or loss
or productivity or people not being able to work for 2-3 days
while forensics is being done
- i know a few corps that shutdown during the cleanup
( firewall didnt help them
fun stuff .... :-)