[NTLUG:Discuss] A Vulnerability question

Jim Wildman jim at rossberry.com
Mon Oct 8 11:15:26 CDT 2001 

Hear, hear!!

Paranoia is not only good, it is essential!

Any production system (or just one you care about) should really be
analyzed from a hardening point of view.  Firewalls _should_ be built
from a default deny perspective, though that means lots of things
don't work for a while.

Questions to ask
1) Do I really need this piece of software?
2) What opportunities for abuse does this software present?
3) What steps will I need to take to work around not having this
software?

Take printing for instance.
1) Why do you need to print from a firewall host?  configs?
2) Lots of opportunites since most spoolers run as root.
3) Scp the file to another box and print it, or start lpd just when you
need it.

------------------------------------------------------------------------
Jim Wildman                                            jim at rossberry.com

On Mon, 8 Oct 2001, Steve wrote:

> Randall Gibson wrote:
>
> I get the feeling that the paranoia level of people building their own firewalls
> is not high enough. They have a firewall that apparently works and so that's the
> end of the story with their firewall. Understanding firewalls takes a decent
> amount of effort and time. It's not a one shot deal.
<snip>
>
> You should always harden your system first. So, look at your services, find what
> is needed and for those that are needed, secure/update them within the context
> of those services, like properly configuring them. For example, telling your
> Samba service that requests will only be taken on your NIC interface and not
> your modem.
>
> THEN, you add a firewall to protect that already hardened system. You'll want
> multiple levels of intrusion security. If you rely just on your firewall and it
> should fail for some reason, you could be in trouble. Some people set up
> dedicated firewalls that have nothing running on it except the firewall. That
> means a cracker would have to compromise your firewall and then compromise the
> hardened system behind the firewall.
>
> Steve
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list