Post #70,233
12/21/02 11:00:29 AM
|
Security police on my tail tonight ... even blocking my ...
posts to Macintosh forum - tried from 2 older computers that always got thru before but not anymore.
The chase begins as soon as I post to War on Terror forum - my computer gets ident requests & often I get port probed - my firewall logs are interesting reading.
I have a way round them but won't say how but it is devious.
Today has been worst than most but I now have excellent defences & logs
Cheers
Doug Marker (I am guess ing that the blocking is at this end & not in US)
|
Post #70,266
12/21/02 5:37:37 PM
|
Re: Security police on my tail tonight ... even blocking
It's kinda like you're in a submarine. The Adventures of Captain Marker.
Speaking of security, which is better:
1) Focus limited security resources on gateways and force everthing to be behind them, and allow lax security at the workstations
2) Apply strict security at each workstation, even if a lot of the work is redundant and cosmetic.
I'm in favor of the first approach.
-drl
|
Post #70,268
12/21/02 5:41:47 PM
|
I don't favour eggshell security.
It's bad.
All you have to do is penetrate the perimeter, and then you're in.
Pervasive security processes throughout the organisation are a much better idea.
Peter [link|http://www.debian.org|Shill For Hire] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Blog]
|
Post #70,269
12/21/02 5:48:23 PM
|
I'd prefer..
A firewall with proper statefulness and policy behind the ruleset. And that policy being reflected at the workstations and servers.
If you manage things properly, it's not as much work as you'd believe.
And I'm with Peter on this, Hard and tough on the outside, creamy rich softness on the inside is a bad thing. rhosts and all that *BY DEFAULT* on everything I do is UNTRUSTED. Therefore you have to provide credentials everytime.
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|HIS GHOST SPEAKS!]
Your friendly Geheime Staatspolizei reminds: [link|http://www.wired.com/news/wireless/0,1382,56742,00.html|Wi-Fi enabled device use] comes with an all inclusive free trip to the (county)Photographer!
Why You ask? Here is the answer to your query: SELECT * FROM politicians WHERE iq > 40 OR \\ WHERE ego < 1048575; 0 rows found
|
Post #70,271
12/21/02 5:58:58 PM
|
Re: I'd prefer..
"Proper statefulness" - please explain that.
Put it this way - you're looking into a half-silvered mirror, and you know there are people behind it looking at you, but they can't be seen. What difference does it make what happens behind the mirror? You can't see it anyway.
-drl
|
Post #70,274
12/21/02 6:21:05 PM
|
The difference it makes is this...
Some day people will find a way in behind the mirror. Perhaps because of a virus that gets the clients on the inside to connect out. Perhaps because of a malicious web page. Perhaps because of a new bug discovered in your firewall.
What happens then?
Cheers, Ben
"Career politicians are inherently untrustworthy; if it spends its life buzzing around the outhouse, it\ufffds probably a fly." - [link|http://www.nationalinterest.org/issues/58/Mead.html|Walter Mead]
|
Post #70,280
12/21/02 7:32:36 PM
|
Stateful Firewall....
[link|http://rr.sans.org/firewall/anatomy.php|Anatomy of a Stateful Firewall]
There you are...
Also [link|http://www6.software.ibm.com/devcon/devcon/docs/fdx24tut.htm|Linux 2.4 stateful firewall design - Tutorial]
Hope this helps..
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|HIS GHOST SPEAKS!]
Your friendly Geheime Staatspolizei reminds: [link|http://www.wired.com/news/wireless/0,1382,56742,00.html|Wi-Fi enabled device use] comes with an all inclusive free trip to the (county)Photographer!
Why You ask? Here is the answer to your query: SELECT * FROM politicians WHERE iq > 40 OR \\ WHERE ego < 1048575; 0 rows found
|
Post #70,272
12/21/02 6:06:33 PM
|
Oh, Corollary
Anything with special security needs goes on its own network. The security is always thought of as applying to a network, not a node (unless it's a gateway).
-drl
|
Post #70,279
12/21/02 7:25:50 PM
|
Considering most security breaches . .
. . originate from the inside, and considering many of the rest involve colaboration with or duping someone on the inside, the hard shell, soft interior strategy seems to me less than fully effective.
[link|http://www.aaxnet.com|AAx]
|
Post #70,292
12/21/02 9:02:43 PM
|
Security perimeters
Ross wrote:
Speaking of security, which is better:
1) Focus limited security resources on gateways and force everthing to be behind them, and allow lax security at the workstations
2) Apply strict security at each workstation, even if a lot of the work is redundant and cosmetic.
I like this question. It should be asked more often.
I tend to side with Peter -- for my own networks, at least. My machines used to be right on the same ethernet hub nexus as an entire Internet cafe in San Francisco (see [link|http://linuxmafia.com/coffeenet/|mirror]), and so I simply became accustomed to the idea of the LAN being a presumed-hostile place that should never be trusted. After getting used to that, the logical extension is to also realise that there's no special reason one's hosts need to trust one another, either. It's a way of thinking different from what people are used to, but tends to give superior results: For one thing, compromise of a single host doesn't cause collapse of the entire house of cards. There's no longer obvious single points of failure.
Thus, I don't hide my hosts behind "firewalling" scripts: They're all fully exposed to the Internet, and I make a point of enabling only network daemons whose security problems I'm willing to stay on top of. The entire LAN gets probed using nmap and other things, on occasion, to help catch any dumb errors or omissions.
Most people prefer the perimeter security model (using IP filtering or application-level proxies) because they believe they're safer behind a security "moat". This can work to a certain degree; many people profess to like the results.
The proper way to evaluate any security model, in any event, is to consider assets and threat modes: What are the feasible threat methods that might apply to your setup? What's the downside, in the event of lossage? What are the remedies? Preventatives? Recovery? And so on.
Rick Moen rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #70,311
12/21/02 10:17:49 PM
|
Personally speaking
I prefer every machine able to reach the internet be hardened. Firewalls are nice to slow em down a tad but having exposed so many theoretically hardened perimeters and waltzed thru I think if you are in charge of a box, lock it down. thanx, bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
You think that you can trust the government to look after your rights? ask an Indian
|
Post #70,300
12/21/02 9:23:42 PM
|
Re: Security police on my tail tonight ... even blocking
I have adopted the 2nd approach - every computer now has a range of defences.
I wanted to set up a single system to route the others thru & use that system to act as a firewall filter, IDS & logger. But until I can buy a cheap off the shelf machine that is better than my Buffalo Airport, I will use it as the front line, just wish I had more control of it such as I would have with a Linux system. (The Buffalo is obviously *nix based).
Cheers
Doug
|