Milos Prudek wrote:
>
> Where can I learn about what ports I can safely open? Right now I have
> the following: AOL messenger, ICQ, SMTP, POP3, HTTP, SSL, DNS. I would
> like to open Napster. I'd like to know if there are any security
> issues...
Opening ports is like opening gates to a stadium. The more gates
you open, the more chances of someone getting in that you
don't want. You can put guards at the gates (firewalls) to
increase security but there is still more risk than not
opening the gate at all. You also must keep track of how
well the guards are doing their jobs by keeping track of
bug fixes, configuration best practices, and keeping up
with ways hostile persons try to circumvent the gate
protections.
That said, its obvious that you want customers at your
stadium. So its a tradeoff between strong security
(nobody gets in without vaulting an "impenetrable"
fence), or no security (everyone gets free access).
"Safe" and "secure" are relative terms. There isn't an
easy answer to your question. There are "best practices"
for configuring individual services. Some folks will
tell you not to run ICQ because its "insecure".
In reality, it may have more risk associated with it
than, say, http but its relative. I'd bet far more
critical breakins have occurred through web servers than
through ICQ services. Same applies for the Windows
bashers. Unix systems have been broken into for far
longer than Windows machines and its not slowing down.
For those who think open source is the solution, we
still have new bugs in Linux.
It boils down to risks caused by complexity, administration,
and desired functionality and trying to decrease (not eliminate!)
that risk by reducing one of those three factors through
decreased access, increased administration, and/or decreased
functionality.
What you'll need to do is check for all the security alerts
for the services you want to run at CERT and similar
places. Then carefully read the manual on the service
you want to use and make sure you understand all the
security issues. You can't really do this unless you
understand how the service works and its relationship
with the underlying operating system.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
