Jay Nugent wrote:
>
> Greetings,
>
> On Wed, 12 Sep 2001, JW wrote:
<SNIP for brevity>
>
> No flame from me. I don't like firewalls either. They block ONLY
> those ports that you're not running servers on. But if I'm already NOT
> running services on those ports, what's the point?
If you are dealing with any seriously valuable data (CAD design models,
proprietary software code etc.) you close all your ports with a firewall
and allow *only* the necessary IP's access to your system, one port at a
time. And whenever possible use encrypted connections, or at least
encryption software on the data before transmittal.
> Oh! This is it! If I'm a screwup and I accidentally run a service I
> didn't intend to, I guess I've just exposed myself, without a firewall.
> But gosh, if I screwup the config on the firewall I expose myself anyway.
> Little difference in my opinion. Think about what you do on EVERY machine
> in your network. Don't hide behind the FALSE SECURITY that a firewall
> might pretend to give you. I've scanned too many friends and customers
> networks that have firewalls only to find they didn't configure the FW
> correctly, exposing themselves, all the while sleeping snug as a bug at
> night :-(
OK, if you are responsible for security for any business network, and
you don't know how to configure the software being used to protect said
network, find a job at Home Depot and quit before you do serious
damage. Not directed at you Jay, but anyone who is responsible for
security, is responsible to properly apply the tools in the correct
manner.
> NMAP SCAN your entire network regularly. Watch your logs constantly.
> Read Bugtraq, redhat-security, etc.
Exactly, but also use every available tool you have to secure the
network. What good is scanning your own machines to find open
ports/services if you aren't going to restrict access. You are not
doing anyone (including the original poster) any favors by telling them
that firewalls are useless, just as
saying that it's all you need would be a disservice as well.
There are plenty of resources to help you secure and restrict access to
your systems on the web (i.e.: the SxS) and plenty of good books written
by some folks whose names you'd recognize.
> --- Jay
>
> P.S. I *LIVE* as root on my systems as well. Know what's gonna happen
> BEFORE you hit enter. No better way to condition yourself to PAY
> ATTENTION to what you're doing :-)
I'll leave this one for Skippy. :-)
--
Linux SxS [http://hal.humberc.on.ca/~mrcn0031/sxs/]
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
