Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Crist J. Clark (cristjcearthlink.net)
Date: Wed Jun 20 2001 - 23:53:00 CDT
On Wed, Jun 20, 2001 at 06:18:33PM -0700, Malcolm wrote:
> Hi folks,
> What do we think about installing IPFilter on non-gateway boxes
> and using it to block all incoming traffic except for whatever ports
> we want to use on our server (e.g., http, ftp)?
Well, "we" (OK, just me) think that it depends entirely on the purpose
of the box and your local security policies. There is no "right"
answer. But some two things to consider:
If you have locked down services on a box and then firewall but allow
access to these services, what are you protecting? What does the
firewall actually do to hamper a remote attacker? It really does not
add anything. However, closing up all services is not as easy as it
sounds and a firewall is an extra layer of protection against mistakes
in locking them down. IMHO, unless the box is security critical, the
administrative costs of all of the firewalling probably exceeds the
security gain for resisting external attack.
However, a firewall in this situation might protect you more from
_local_ users. That is, local users cannot start listening daemons on
high ports on their own. Again, depending on the site policy, this may
be good or bad. If policy is that users are trusted and _should_ be
able to do things like that, firewalling is bad. OTOH, if users are
less trusted and policy forbids these things, firewalling is the best
way to stop it.
$0.02 for ya'.
-- Crist J. Clark cjclarkalum.mit.edu
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message