Best firewall gateway version of Linux ?

Sam Couter sam at topic.com.au
Tue Jan 15 13:48:01 EST 2002 

On Tuesday, January 15, 2002, at 10:30 , Burn Alting wrote:

>Also, how nasty is it to also make the firewall one's mail router 
>(sendmail)?

Like most questions, the answer depends on many things. Security is a
matter of risk management.

First, you make your assessment of risk probabilities:

Each service you run on a machine presents additional risk, whether
vulnerabilities in that service are known at the moment or not. You can
assign risk probabilities to each service based on factors like how
they've performed in the past, how responsive the vendor is, and whether
they've been audited for security by people you trust.

I'll give you a quick tip that will probably start a holy war:
sendmail is notorious for its security problems.

Then, your assessment of impact:

Your machines (and the data stored on them) are only worth so much. Does
it matter to you if someone breaks in and nukes all your files? Will it
take you long to restore from backups? Do you even have backups? Do you
know how to successfully recover from a break-in? Could an attacker get
sensitive data from your machines, such as passwords for other machines,
credit card numbers, etc?

Finally, you need to make a decision on what you want to run on the
firewall, taking into consideration the above things. Remember that
having your firewall cracked means your other machines are much more
likely to fall.

Your machines can be used as stepping stones towards further attacks, or
as drones in a distributed attack. For the sake of everyone else on the
net, take this seriously, and minimise the likelihood of these kinds of
attacks being launched from your machine.

Using an intrusion detection system can help you discover that you have
been cracked, and allow you to clean up sooner after the break-in.

You can also help mitigate the risks by using techniques such as
chrooted services, using a seperate UID (NOT root!) for each service,
etc.
-- 
Sam "Eddie" Couter  |  mailto:sam at topic.com.au     |  I need a short and
Internet Engineer   |  jabber:eddiesam at jabber.org  |  clever comment for
tSA Consulting      |  http://www.topic.com.au/    |  my .signature file
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20020115/061cd10b/attachment.bin

More information about the linux mailing list