[lug] Why Do I Need a Firewall?

gordongoldin at aim.com gordongoldin at aim.com
Wed Oct 10 14:41:10 MDT 2007




>>>>>>Subject: Re: [lug] Why Do I Need a Firewall?
>>>Thanks... This is convincing. I guess it's like a ship; 
?? ****as long as the hull isn't punctured, ***
there's no need for watertight compartments. But if you spring a leak, a second level of defense can make all the difference
whether you later sail into port or sleep with the fishes.

>>>>FIREWALL
Quote from a document which delineates JUST the "normal steps" which should be taken to harden a server (82 pages long). 
..."Although a firewall certainly represents one of your main lines of defense in your total security plan, it should not be your only line of defense."
...recommends installing a host-based firewall on workstations? ... Workstations are defined as Linux systems that offer ***NO SERVICES** ...

>>>>a second level of defense

Following the thread, plenty of bad code running out of Apache can do much.
Another example:? a process could be made to run in /tmp or /var.? So a standard should be to have those as separate partitions with noexec, etc.

>>>as long as the hull isn't punctured
>>>FTP
Quote from the manual:
Is there a mission-critical reason why data must be transferred to and from this system via ftp, rather than sftp or scp?
If the answer to this question is yes, proceed with the actions below.
...
Pull the bung-plug from the hull.
Set up a nice deckchair.
Pour yourself a nice drink.
Get ready for a nice nap with the fishes. 
...
Note: Any directory writable by an anonymous FTP server should probably have its
own partition. This helps prevent a compromised FTP server ...














 


________________________________________________________________________
Check Out the new free AIM(R) Mail -- Unlimited storage and industry-leading spam and email virus protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20071010/5937a679/attachment.html>


More information about the LUG mailing list