[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: being hacked? - hatches/hardening

hi ya jens

On Wed, 4 Feb 2004, Jens Simmoleit wrote:

> The best thing to tighten up your network is a firewall........... try this
> one I use it here for customers. It's free it's (not really :-) fun and it's
> reliable, never had any trouble with it. Easy to maintain, just
> great........... works with ip tables

yes and no ... 

i think that most people do not treat a fw any differently than a dns,
web, mail, insecure box

what is the difference between each server ??
	dns ------ runs [chroot] bind
	mail ----- runs your mta ( sendmail, exim, qmail, .. )
	pop ------ runs secure in.popd
	web ------ runs apache
	firewall - runs iptables

	same os, same gcc, same xxx apps, same yyy libs, ....

all other apps and exploits and vulnerabilities are the same with
or without the firewall .. 
	biggest problems will be allowing wireless, using dhcp,
	untested bare-metal backups, allowing vpn from insecure home
	networks in secure corp data lan, ...

	what good is the firewall ??? it allows the cracker in
	from the cracked home pc or sniffed wireless traffic

the "computer/resources security policy" is 10x more important than a
firewall ??

my stance is ... "assume they have root access" .. now protect what you
want to protect in that supposedly secure network that they not
supposed to be watching/sniffing/cracking into

weigh all that against the costs of loss of data ... or loss
or productivity or people not being able to work for 2-3 days
while forensics is being done
	- i know a few corps that shutdown during the cleanup
	( firewall didnt help them

fun stuff .... :-)

Reply to: