[NTLUG:Discuss] A Vulnerability question

Steve steve at cyberianhamster.com
Mon Oct 8 10:21:26 CDT 2001 

Randall Gibson wrote:

> On 2001.10.08 07:14 Dennis Myhand wrote:


> Firewalls are only as good as your rulesets. If you havent configured and 

 > fully tested it, dont count on it. Things like ip spoofing may easily get
 > around a poorly configured firewall. A default firewall script may be
 > setup to allow in services that someone thought you might like to run ....

I get the feeling that the paranoia level of people building their own firewalls 
is not high enough. They have a firewall that apparently works and so that's the 
end of the story with their firewall. Understanding firewalls takes a decent 
amount of effort and time. It's not a one shot deal.

 
>>3.) Or am simply running a firewall with that program running?
>>
> 
> If the firewall is thouroughly blocking access to the system, it is relatively safe. Be safer and patch any security holes anyways, even if no-one should be able to access them.


In addition, creative types are always trying to figure out how to sneak through 
your firewall or going around them entirely. A poorly configured service that is 
purposefully accessible through the firewall may have some security problem like 
a buffer overflow exploit which your firewall will not catch. So, the general 
rule is that if you don't need it and/or don't understand it, get rid of it.

So (a) your firewall ruleset that works today may not always work. (b) There are 
other silly things like not having your firewall come up first if your system 
reboots which would leave you vulnerable or (c) something like changing your 
firewall and finding you foobared part of it in the process and so on.

You should always harden your system first. So, look at your services, find what 
is needed and for those that are needed, secure/update them within the context 
of those services, like properly configuring them. For example, telling your 
Samba service that requests will only be taken on your NIC interface and not 
your modem.

THEN, you add a firewall to protect that already hardened system. You'll want 
multiple levels of intrusion security. If you rely just on your firewall and it 
should fail for some reason, you could be in trouble. Some people set up 
dedicated firewalls that have nothing running on it except the firewall. That 
means a cracker would have to compromise your firewall and then compromise the 
hardened system behind the firewall.

Steve

More information about the Discuss mailing list