Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 24 Oct 2002 12:07:29 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 24 Oct 2002 12:07:28 -0400 Received: from h66-38-216-165.gtconnect.net ([66.38.216.165]:59909 "HELO innerfire.net") by vger.kernel.org with SMTP id ; Thu, 24 Oct 2002 12:07:27 -0400 Date: Thu, 24 Oct 2002 12:13:38 -0400 (EDT) From: Gerhard Mack To: Tony Gale cc: linux-kernel@vger.kernel.org Subject: Re: One for the Security Guru's In-Reply-To: <1035453664.1035.11.camel@syntax.dstl.gov.uk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2231 Lines: 60 On 24 Oct 2002, Tony Gale wrote: > Date: 24 Oct 2002 11:01:04 +0100 > From: Tony Gale > To: linux-kernel@vger.kernel.org > Subject: Re: One for the Security Guru's > > On Thu, 2002-10-24 at 10:38, Henning P. Schmiedehausen wrote: > > Gerhard Mack writes: > > > > >Actually at the place that just went bankrupt on me I had a Security > > >consultant complain that 2 of my servers were outside the firewall. He > > >recommended that I get a firewall just for those 2 servers but backed off > > >when I pointed out that I would need to open all of the same ports that > > >are open on the server anyways so the vulnerability isn't any less with > > >the firewall. > > > > So you should've bought a more expensive firewall that offers protocol > > based forwarding instead of being a simple packet filter. > > > > packet filter != firewall. That's the main lie behind most of the > > "Linux based" firewalls. > > > > Get the real thing. Checkpoint. PIX. But that's a little > > more expensive than "xxx firewall based on Linux". > > > > Thats not entirely accurate, or fair. A packet filter is a type of > Firewall (or can be). A Firewall is a means to implement a security > policy, usually specifically a network access policy. A Packet Filter, > including a ""Linux based" firewall" is a perfectly acceptable means of > achieving that goal, if it meets the policy requirements. > > Ref. http://csrc.nist.gov/publications/nistpubs/800-10/ (over 7 years > old, but still highly relevant). > > Most commercial firewalls are very bad at protecting servers offering > Internet services, they aren't designed to do it. > It gets even worse if almost all of your services are encrypted(like you would find on an e-commerse site). https will blind an IDS. The last place I worked only had 3 ports open and 2 of them were encrypted. Gerhard -- Gerhard Mack gmack@innerfire.net <>< As a computer I find your faith in technology amusing. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/