recall any serious problems having been found in it since
version 3.4 was released in Sept of 2002. It's still better than
relying on telnet, or other unencrypted communications for remote
management.
Steve Bremer
NEBCO, Inc.
System Security Administrator
Bastille Linux (http://www.bastille-linux.org/) and Immunix
(http://www.immunix.org/) definitely fit the bill. I've worked with
both and have been quite pleased with their overall security.
Let's not forget about one of my favorites: Openwall/*/GNU Linux.
www.openwall.com
Steve Bremer
bothered me. Almost ever other feature of BIND can be performed with
other common tools (e.g. rsync over ssh for zone transfers, custom
scripts for dns-dhcp updates, etc.)
Steve Bremer
NEBCO, Inc.
System Security Administrator
on
the list.
Here is a small list:
http://www.secunia.com/advisories/9114/
http://www.secunia.com/advisories/8841/
http://www.secunia.com/advisories/8742/
Some of these require interaction with IE or OE to work properly.
Cheers!
Steve Bremer
NEBCO, Inc.
System Security Administrator
Although it's track record has improved, I still think BIND has a place
in there somewhere. It may not be quite top 10 though (still in the
SANS top 20).
Another candidate would be the r services (rsh, rlogin, rcp, etc.)
WU-FTP.
Steve Bremer
NEBCO, Inc.
System Security Administrator
There is probably a Linux based firewall in font of an IIS 5.0 web
server.
Steve Bremer
NEBCO, Inc.
System Security Administrator
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner
?
Steve Bremer
NEBCO, Inc.
System Security Administrator
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has
you monitor your own hosts for
unusual behavior.
The IDS needs to be on every critical network segment at the least.
Agreed.
Anyways that's just my opinion and I have done a lot of security work
and high availability designs.
Thanks for your input, I appreciate it.
Steve Bremer
NEBCO
where
using a combination like Cisco PIX + MS ISA or even Linux + MS
ISA would require a broader skill set to administer properly than two
versions of *nix.
Steve Bremer
NEBCO, Inc.
System Security Administrator
are used for each, the
chance of both being compromised has been significantly reduced.
However, a poorly implemented filtering policy applied to both
firewalls could still allow unwanted traffic *through* them.
Steve Bremer
NEBCO, Inc.
System Security Administrator
).
What do you think? Am I overly paranoid?
Steve Bremer
NEBCO, Inc.
System Security Administrator
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top
on the web server itself, but if it is a root
compromise, the cracker can disable the filtering you've set up.
Basically, you're being a nice netizen by helping to prevent
your systems from being used to attack others.
Steve Bremer
NEBCO, Inc.
to do it all over again after your experience with your
current setup.
Thanks for your input.
Steve Bremer
NEBCO, Inc.
for the suggested approach?
Look at www.tldp.org. Also, do a google search for Iptables
Tutorial. There is a good tutorial available that was written by
Oskar Andreasson.
Steve Bremer
NEBCO, Inc.
to connect to 65.56.237.226 on port
2002.
Steve Bremer
NEBCO, Inc
NIDS or HIDS as well. If
it does HIDS and NIDS then I would run it alone.
Sounds like a good learning experience to me. Just make sure to
restrict services to your internal interface unless they're needed from
the outside.
Steve Bremer
NEBCO, Inc.
. Anyone can write
a bad application for a web server that opens them to an attack.
On a properly configured system, compromising the host that the
web server is running on should be very difficult to do from a CGI
program.
Cheers!
Steve Bremer
filtering rules that would allow a
cracker unauthorized access to a host that is being protected by the
firewall. On rare occasions, there may even be a bug in the packet
filtering code itself that could create the same problem.
Steve Bremer
careful about making
such statements without backing them up with proof.
Steve Bremer
Alternatively, if
you want to map open ports to programs using them, www.foundstone.com
do a utility called fport.
Unless it's been changed in the last month, fport does NOT work on
Win 9x. It's an NT/2K/XP only program. We need to add this to a
FAQ or something :-)
Steve Bremer
printing. The process
itself is called dpmw32.
Thanks again everyone,
Steve Bremer
sure, in Linux I am more or less sure can not do that, it always
asume NAT.
That's not correct. I'm using netfilter right now as a stateful firewall
without NAT.
Steve Bremer
.
Steve Bremer
NEBCO, Inc.
only bit is set, it may cause this error. For more
information, see the man pages for lsattr and chattr.
I can't remember the command for the BSDs right now, but I'm
sure someone else can chime in with that info.
Steve Bremer
Do a search for the iptables tutorial as linuxsecurity.com.
Steve Bremer
On 30 May 2002, at 15:59, Hristo Pandjarov wrote:
I have trouble managing my IP tables.Could you please give me a site
or manual for making a compleet and secure firewall?
Thanks
$me
unreasonable to expect them to
install security/hotfixes either. However, this
requirement/expectation will differ between companies and it may
not work in your situation.
Steve Bremer
stuff). Can you recommend some links regarding this ??
Do a search of the vulnerability database at securityfocus.com.
Steve
sendmail these days should be about as secure as any other mailer and its
still pretty much the email standard.
This may be true, but sendmail's design isn't very secure.
Before sending any flames, let me explain. Sendmail runs as a
single root process that performs all actions of
on this. I much prefer using the CLI. In fact,
linuxconf is now deprecated in Red Hat. I can't say that I've shed a
single tear over its loss either. I've never used slackware, so I can't
comment on any part of it. I'm sure it's a fine distro, but I just
haven't had the time to try it yet.
Steve
, you can
try the new Apache 2.x. The initial benchmarks shows that it
performs as well as IIS when running on windows. Apache 2.x is
pretty new, but I'll bet it's still far more secure than IIS.
Steve Bremer
The usual way to configure mail infrastructure in most small-to-medium
sized businesses is to have a mail gateway (sometimes known as a relay
server) in the DMZ, and your production mail server in the LAN.
I would tend to agree with Kurt on this. That way you can use
something really
I doubt it, but you missed the point. He's not talking about removing the locks
altogether but that he can live without a cipher lock. Certainly we all want to
protect our personal information as much as our personal property. And because there
are
bad guys out there who will use whatever
I see lots of people recommending Netgear NICs, but nobody has mentioned
Linksys, specifically the LNE100TX. I've had no problems whatsoever in
the 2 yrs I've been using them. (tulip driver) A quick pricewatch search
shows compuplus.com selling them for $4 right now.
I've had good luck with
Hi,
1. Whats the best distribution to use, I have had quite a bit of experience
with Linux but not for the last 4/5 years so I'm a bit out of touch.
I can see the flames coming... :-) For someone who hasn't been
around Linux in awhile, I'd recommend a mainstream distro like
Red Hat, Suse
Is it vsftp that you're thinking of?
If so, do a search for it on freshmeat.net and you'll find it.
Steve
Sorry for my last post. I missed the http part of it. Perhaps you
were thinking of Dan Berstein's publicfile? It's a minimal ftp/http
server that was designed with security being a priority just like his
other programs (qmail, djbdns, etc.).
http://cr.yp.to/publicfile.html
Steve
On 14
What did it do on your machine?
I'm running win98SE/IE6 + all updates and a gray window showed
up kinda like you get when there is a java applet and you have java
disabled.
Steve Bremer
On 5 Mar 2002, at 12:30, leon wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http
). I do know that pf has some
nifty new features not found in IPFilter or iptables, but I haven't
looked into them in-depth yet.
Steve Bremer
security before jumping into kernel hardeners
Bastille is a good place to start, as are Lance's articles
Steve Bremer
I tried it, box that is supposed to show my hard drive was blank
The only thing it tracked was my IP, domain name, the OS, and the
browser
We're going through a proxy server though
On 28 Feb 2002 at 1:46, LS wrote:
Hi all,
I was sent the following address:
http://wwwsecurity7chvu/
grab a copy of openbsd, it is unbreakable and pf
You mean unbreakable like Oracle is unbreakable?
syntax is alot easier than iptables
That's a matter of opinion I prefer iptables syntax to ipf and pf
Thanks everyone for your recommendations. I think I'll give Tiny
Personal Firewall a try.
Steve
On 16 Feb 2002 at 6:03, Richard Cotterell wrote:
Ref: monk [EMAIL PROTECTED]'s
message dated 14 Feb 2002, 10:01 hours.
It appears that this program is only for WinNT/2000, unless
Hi,
Can anyone recommend a program (preferably free) that
will tell you which program is listening on an open port in windoze
95/98?
I've tried inzider and it doesn't seem to detect anything even though
netstat -an shows several listening ports. I've ran it several times as
the FAQ
43 matches
Mail list logo