A.P. Lawrence

Information and Resources for Unix and Linux Systems
Bloggers and the self-employed

Home
Kerio
Sections
- MacOSX
- Linux
- Blogging
- Self-Employment
- Support
Contents
- Most Popular
- Browse All Topics
- Newest Articles
- Random Page
- Surveys
Tests
- Linux
- Mac OS X
- SCO Unix
- Perl
Resources
- Site Forum
- Write for this site
- Find a Consultant
- Contact Info
- RSS Feeds
- Store
- Advertise Here
- Disclaimer
Help
- About
- Rates
- Copyrights
- Contact
- Support

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Kerio Reseller
Printer Friendly Version

Best of the Newsgroups: why server should not be on net security firewall

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

Date: Mon, 23 Dec 2002 18:05:08 -0500
From: Anthony Lawrence <tony@pcunix.com>
Subject: Re: ipfilter security References: <d4e3407b.0212231247.22f5c291@posting.google.com>

Hate these ads?

Fernando Ronci wrote:
> Hi,
>
> Why do many "security" people (not here though) claim that the sole
> use of ipfilter as a firewall is not enough, and that the whole
> system's security can be compromised ?

I'm not sure people have said exactly that.

For example, what I have said more than once is that I don't think
production servers should be directly attached to the net. I think they
should always be reached only through one or more other firewalls that
are doing nothing BUT act as a filter for the internal machines. That's
not to say that the internal machines shouldn't also be configured
securely (as though they were directly connected - in other words,
non-essential services shut off, security patches reasonably current,
packet filtering in place etc.).

There are several reasons I hold that opinion:

Forget the expense of flying to New England. Forget hotel and meals costs.
Installation and light training Boston and New England

o More security is always better than less. Important resources should
have better protection.

o Internal servers are apt to lag behind in patches and OS updates
simply because such things may affect critical apps running theron.
Firewalls that do nothing but security won't be crippled by that need.

o Internal servers are apt to lag behind in patches and OS updates
because financial people don't want to spend money on something that
works. It's easier (and often cheaper for various reasons) to keep a
separate firewall up to date than an internal production server. For example,
an OS update that would affect security might cost much more than
upgrading a firewall for the same fix because the server may require
costly application updates.

o People hate to take down internal servers to do updates because it
affects real work. Often you can live without the internet for a few
hours but not without the production server, so updates get delayed.

o Internal servers are more subject to accidental security problems such
as incorrect permissions. This is often done (again) in the interests
of making applications easier.

o Internal servers are quite apt to have dozens of accounts with weak
passwords.  It's generally easier to enforce strong password policy for
external access.  Such access can also be limited to only the accounts
that reallly need it.  Joe has to login 2 or 3 times if he's coming in
remotely, but he won't usually object to that as much as having a long
internal password.  And if he does object, it's an easier battle to fight.

o Internal servers are (obviously) already open for access to inside
people who can accidentally or on purpose open up more access by their
actions. It's often necessary or expedient to give relatively
unsophisticated users some system level access for routine maintenance.
Such access is not necessary on a dedicated firewall.

o Internal servers may need to advertise services that are dangerous on
the Internet. Yes, you can and should filter those services but even
better is not even have them ever get near the outside world in the
first place. If services are accidentally turned on, or local filter
rules forgot to account for the outside world, it won't matter if the
firewall is rigorously blocking everything that is not explicitly allowed.

I'm sure there is more others can add, but this should be enough. In my
opinion, it's just dumb to have an internal server with a public interface.

--
Tony Lawrence
Free Linux Skills Test: http://aplawrence.com/skillstest.html

Comments /Bofcusm/1901.html

Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Phone and Email Support at Monthly rates

Printer Friendly Version

Views for this page
Today	This Week	This Month	This Year	Overall
1	3	20	215	1,261

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Printer Friendly Version

More:

- Newsgroup

Unix/Linux Consultants

Your ad here - $24.00 yearly!

larryi@ccamedical.com SCO OS5, Debian Linux, RedHat Linux, MySQL, Apache, AJAX development using dXport/dL4/Unibasic, Windows Connectivity, Sharing Resouces, Automation, Shell Scripting

http://www.cleverminds.net Need expert advice? Want a second opinion? CleverMinds is a one-stop-shop for a wide range of technology solutions. We support Unix, Linux, SCO as well as CMS, ecom, blogs, podcasts, search engines consulting and more. Contact us at web2.0@cleverminds.net 0r (617) 894-1282

http://www.m3ipinc.com Security, firewalls, ids, audits, vulnerability assesments, BS7799, HIPAA, GLB, incident handling

Coming Attractions

My Favorites