Ross wrote:

Speaking of security, which is better:

1) Focus limited security resources on gateways and force everthing to be behind them, and allow lax security at the workstations

2) Apply strict security at each workstation, even if a lot of the work is redundant and cosmetic.

I like this question. It should be asked more often.

I tend to side with Peter -- for my own networks, at least. My machines used to be right on the same ethernet hub nexus as an entire Internet cafe in San Francisco (see [link|http://linuxmafia.com/coffeenet/|mirror]), and so I simply became accustomed to the idea of the LAN being a presumed-hostile place that should never be trusted. After getting used to that, the logical extension is to also realise that there's no special reason one's hosts need to trust one another, either. It's a way of thinking different from what people are used to, but tends to give superior results: For one thing, compromise of a single host doesn't cause collapse of the entire house of cards. There's no longer obvious single points of failure.

Thus, I don't hide my hosts behind "firewalling" scripts: They're all fully exposed to the Internet, and I make a point of enabling only network daemons whose security problems I'm willing to stay on top of. The entire LAN gets probed using nmap and other things, on occasion, to help catch any dumb errors or omissions.

Most people prefer the perimeter security model (using IP filtering or application-level proxies) because they believe they're safer behind a security "moat". This can work to a certain degree; many people profess to like the results.

The proper way to evaluate any security model, in any event, is to consider assets and threat modes: What are the feasible threat methods that might apply to your setup? What's the downside, in the event of lossage? What are the remedies? Preventatives? Recovery? And so on.

Rick Moen
rick@linuxmafia.com