Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Is it me???

  1. #11
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Is it me???

    I reply to your big long post with a short one.

    Cups
    Xfree
    smtp (only used for fetchmail)

    All open ports only needed for the local host.

    Additionally,

    ssh
    apache
    samba

    All open ports, but are only needed for one specific computer.


    Yes, you are right that there's little point in firewalling closed ports, but who's doing that?

  2. #12

    Re:Is it me???

    You can start both your xserver and sendmail to only listen to the loopback, as for CUPS, I know very little.

    The only point I am trying to make is that firewalling individual hosts does != secure network communications, intranet or extranet.

    I will repeat, there is nothing wrong with firewalling individual hosts, but if you are securing a large LAN or WAN, it is the wrong way to go about it, and that firewalling individual hosts instead in instead of building perimiter firewalls is just plain wrong. Doing both increases security, but adds tremendous amounts of administrative overhead.

    The original post asked why all firewall documentation discusses routing and port forwarding. Well the answer is because firewalls need to accomplish these things. A lot of commercial firewall packages simply will not even install without the presence of 2 active NICs.

    Why would you firewall closed ports? Because any connection to a closed port sends back a reset packet, at the very minimal, to the querying host. This tells a portscanner that a host exists, even if no services run on that host at all. So why would you do it? To hide a live host. However, as I stated before, this effect will be defeated if you have so much as one port open. Why did I post this? Because it was stated in an earlier reply that one should firewall all ports from 1-1024 and then selective ports up to 65535. This is incorrect. In reality, one should just firewall all ports in the range of 1:65535 (open or closed), simply because it is much easier to configure and because a deny-all-by-default poilcy is much much more secure. Why firewall one range of ports, but leave the others unfirewalled? It has no effective purpose.

    Why do I keep ranting? Because firewalls are, primarily, perimeter defenses. Again, this is not to say that they cannot exist on end-hosts, but to firewall hosts without firewalling your LAN egresses is just not a great idea. And, if one needed to firewall all their LAN hosts simply because they cannot trust anything else on their LAN, well, then perhaps they need to rethink their entire security infrascructure.

  3. #13

    Re:Is it me???

    Well the reason I asked is because of my MR314 router... It really doesn't have any sort of firewalling configurability(I think I just made that word up :P) besides port fowarding... So I'm not exactly sure if I need to firewall my individual boxes, or if the firewalling capabilities are good enough on the router to not worry about firewalling individual boxes. Also this is just a small home network consisting of only 2 PC, for now ;D. When I got RoadRunner I bought a firewall from Norton, which I really like(d), so now it seems like it is a waste of money :-[ if the router firewalls effieciently.

  4. #14
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Is it me???

    Huge administrative overhead, yes indeed. On SuSE 8.1, I can in about 30 seconds setup their firewall. Now, you could argue that if you had a network with 150 workstations it'd take a thousand times that time, but if you have 150 workstations and aren't using some sort of default image for installing you're an idiot.

    Closed ports. YOU are the one who asked why firewall closed ports. I took it to mean you were implying that firewalling closed ports is useless, and indeed it isn't the most important thing one can do with a firewall. I'm not about to spill everything I know about linux security or security in general simply because I see host level firewalls as more important than you.

    Cups -- you don't know, neither do I.

    Sendmail -- great, but I use postfix.

    X -- great again, but what if I want to run cronned jobs, such as starting a movie as my alarm? Or perhaps I want to use xconfig on the kernel. Nope, if you disable it's tcp listening, you won't be able to do it, but a real simple firewall rule keeps the access local.

    1:1023 vs 1:65535 -- That really _DEMANDS_ clarification. Not everyone understands the differences in different firewalling rules. That could easily be taken to mean that you should block all tcp traffic on all ports, which you know as well as I do would make the network connection nearly pointless, as you'd be unable to do well, just about everything. Now, you could firewall the higher level ports using a bit more selective rules. Perhaps just block syn packets (though some stuff like dcc and icq now will not work.)

    As for you're comment that a specific firewall strategy is incorrect, you've lost a chunk of respect from me. Anyone who believes there is one correct security model for everyone needs to pull their head out of their ass and look around.

    And finally, about _my_ ranting on firewalls, I understand that a simple firewall on a router is not a whole security system. If you do that and neglect to keep your stuff updated, you're just asking for trouble. I could write ten thousand words on the security setup on my lan, as it doesn't consist of purely a firewall on the router (nor firewalls in general.) This argument hasn't been about that however, this argument has been about the uselessness of firewalling a single host.

  5. #15
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Is it me???

    [quote author=Izan Seth link=board=5;threadid=5841;start=0#55868 date=1039890131]
    Well the reason I asked is because of my MR314 router... It really doesn't have any sort of firewalling configurability(I think I just made that word up :P) besides port fowarding... So I'm not exactly sure if I need to firewall my individual boxes, or if the firewalling capabilities are good enough on the router to not worry about firewalling individual boxes. Also this is just a small home network consisting of only 2 PC, for now ;D. When I got RoadRunner I bought a firewall from Norton, which I really like(d), so now it seems like it is a waste of money :-[ if the router firewalls effieciently.
    [/quote]

    Internet scans will be on your routable internet IP, which I imagine is the router itself and then your internal network uses a private IP scheme? Basically, an internet scan will let people know what services are listening on the router. You would have to specifically set up a forwarding policy if you wanted services that are on machines in your LAN to be accessible to the net (hence it acts like a firewall in that way.) I wouldn't lose sleep over your setup. You could keep playing with security measures like a paranoid security zealot, but you're pretty good as is.

  6. #16

    Re:Is it me???

    Yeah I'm starting to realize, slowly as it seems, that this route is doing alot more for me that I had ever thought . My firewall logs on my Win box are essentially empty ... I love it!!

  7. #17

    Re:Is it me???

    For the most part you are safe simple because your internal services are not visible to the internet. It's security by obscurity, which is not great for the corporate world, but works fine for private users. Unless 1) there is a hack on your router or 2) someone is really hell bent on getting into your LAN for something you have. Other than that, you should be somewhat safe.

    AFAIK, most attacks on home users happen via worms, as a result of people scanning large blocks of internet space for vunerable services, trojans and viruses. A basic NAT router will help allievate the first two. A smart and cautious user will help alleviate the second two.

    The one cool thing about Norton Internet Secuirty that I like is how it reports to you every application that attempts to access the internet and gives you the option of allowing it to run or not. Norton Internet Security still has some uses even behind a firewall. One being basic virus scanning, the other being alerting when progs access the internet. Most of these home firewall products are based on the idea that the user will have a live, pingable ip address. But they have other added functionality above and beyond that purpose. In a way they are a firewall/IDS/virus scanner/content scanner all-in-one. I wouldn't get rid of it on your windows box, as it is still very useful.

  8. #18
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Is it me???

    [quote author=tolstoy link=board=5;threadid=5841;start=0#55945 date=1039968613]
    For the most part you are safe simple because your internal services are not visible to the internet. It's security by obscurity, which is not great for the corporate world, but works fine for private users. Unless 1) there is a hack on your router or 2) someone is really hell bent on getting into your LAN for something you have. Other than that, you should be somewhat safe.

    AFAIK, most attacks on home users happen via worms, as a result of people scanning large blocks of internet space for vunerable services, trojans and viruses. A basic NAT router will help allievate the first two. A smart and cautious user will help alleviate the second two.

    The one cool thing about Norton Internet Secuirty that I like is how it reports to you every application that attempts to access the internet and gives you the option of allowing it to run or not. Norton Internet Security still has some uses even behind a firewall. One being basic virus scanning, the other being alerting when progs access the internet. Most of these home firewall products are based on the idea that the user will have a live, pingable ip address. But they have other added functionality above and beyond that purpose. In a way they are a firewall/IDS/virus scanner/content scanner all-in-one. I wouldn't get rid of it on your windows box, as it is still very useful.
    [/quote]

    Can you tell me what the heck we were arguing about? Looking at this you're not nearly so anti-host firewall as you came off as earlier. Well, guess I'll chalk it up to a good debate (though, I guess I'll have to try and figure out what I was debating.)

  9. #19

    Re:Is it me???

    I'm not really sure what I was arguing about, maybe just common firewall misconceptions. I think I began ranting because the original poster wondered why all firewall HOWTOs went into routing and port forwarding and DMZs, and claimed he wanted to stop spoofs and secure LAN communications, both of which cannot be accomplished with a host-based firewall.

    And no, I don't think host-based firewalls are that effective unless you have only one box that's directly connected to the internet. I do like Norton's product, however, and use it on my windows box behind a firewall appliance, because it does a lot more than just firewalling.

  10. #20
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:Is it me???

    One miner thing.

    s/internet/untrusted network

    I still wouldn't trust a college dorm's LAN anymore than the internet.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •