Am Die, 2002-04-23 um 12.19 schrieb Ferry van Steen: > Hey there, > Hey too,
> accepting traffic from the internet part of an existing connection (with the
> iptables -m state --state ESTABLISHED,RELATED).
obviously you are using Netfilter's state machine features. Currently i
would expect any remaining netfilter bug most probably in the state
machine/conntrack code. We have seen some of them, for example dealing
with ftp and RELATED. If you dont need RELATED feature for ftp, irc etc,
just dont use it, this might be the safest approach. I guess, this is
impossible for you, so have a look at your kernel version: check out the
security announcements at netfilter.org. You can see that kernels prior
to 2.4.18 arent good enough for your business.
At the opportunity of compiling your own kernel you should disable any
netfilter feature you dont use, maybe irc or ftp conntrack too.
To summarize: Maybe there are thousands of bugs in netfilter, if you
careful watch out for cleaned kernels you are almost safe, unless your
business shows enhanced security needs by threat analyses.
Basically you want to be protected against hackers from outside, working
at weekend: If you feel unsafe up to now, you have some options: (1) add
another firewall serial to your first system, ideally not Linux -
OpenBSD with (maybe) stealth firewalling (bridging, non IPs-
interfaces). In this case there is no need for re-adressing your
internal nets. (2) On the other hand intrusion detection (might) help,
but needs a lot more expertise and payed attention, so (1) would be my
first choice. Option (3) is just another reminder: reduce or stop
'unsafe' protocols :-)
But: if you got trojan horses or evil users inside your network, you are
lost. Any experienced coder nowadays uses 'unsuspicious' protocols
(http, dns) for transmissions. A concept for content security (packet:
ids, stream: virus scanners etc) _might_ help, but attacks designed only
to your company will succeed even in this case.
Best regards,
Sandro Littke.
--
[EMAIL PROTECTED]
[CIT Jena]
tel: +49-3641-36370-0 fax: -1 www.cit-jena.de
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
