Re: ipfilter or ip xyz filtering security question
From: Giorgos Keramidas (keramida_at_ceid.upatras.gr)
Date: 01/07/04
- Next message: Winston Smith: "Re: Help with ipfw"
- Previous message: Lowell Gilbert: "Re: Help with ipfw"
- In reply to: Didier: "ipfilter or ip xyz filtering security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 08 Jan 2004 00:01:40 +0200
"Didier" <NOSPAM@NOSPAM.ORG> writes:
>
> I need some opinions plz.
>
> Do you think it is necessary to enforce security on a freebsd server and use
> ipfilter or an other filtering tool on public accessible (internet) server?
> (I MEAN RUNNING THE FILTERING ON THE SERVER WHICH RUNS THE PUBLIC DAEMONS,
> I'm not speaking about physical seperated gateways or firewalls!)
It's rarely a bad idea to introduce packet filtering to a machine that
already uses other forms of security. Every extra level of security
added to the "onion" means one more layer for the potential intruder to
peel before reaching the important core of your data or services.
> For example:
> A server running a ftp server and ssh server, does it really enhance
> security to add additionnal filterung rules (ipfilter or x) ?
Only if you need to limit who/when has access to your services. As long
as someone passes the firewall rules, the FTP daemon isn't going to be
any more secure just because it's behind the firewall.
> If so, what is your approach?
> what
> a) are you blocking
> or
Everything, except what needs to pass.
> b) are you explicitly allowing (if you have in the kernel a setting that
> denies any traffic)
> appart from ftp and ssh
>
> Your opinions really interest me?
There are many ways to write your firewall rules. The two most
important types of rulesets are "block by default" and "pass by default"
collections of rules. Each one has a few relatively obvious advantages
and disadvantages.
1. Blocking by default
Nobody is allowed to access a service/portt of your machine unless
explicitly allowed by the rules of your firewall.
This is annoying some times, especially with protocols like FTP that
require the client to connect to "ephemeral", random ports of the
server, which are negotiated after the initial connection setup has
finished.
It has the important advantage that you don't need to explicitly take
care of updating your firewall rules after installing a service to
prevent unwanted clients from accessing it. The service is blocked
to the world until you set things up to allow a few of the clients to
pass through the ruleset.
2. Allowing by default
Everyone is allowed to access any service whatsoever, unless
explicitly blocked by some rule of the ruleset.
Very handy when lots of people run lots of services on lots of
machines freely, in an open, cooperative environment that encourages
sharing of data and/or services.
Very dangerous on networks that are somehow connected to "hostile"
environments, as many like calling today's Internet.
Any good book on firewall security will provide a lot more details and
deep insight on the issues involved in designing networks that have
secure, trusted, untrusted and "free for all to roam about" areas :)
I hope this helps a bit,
Giorgos
- Next message: Winston Smith: "Re: Help with ipfw"
- Previous message: Lowell Gilbert: "Re: Help with ipfw"
- In reply to: Didier: "ipfilter or ip xyz filtering security question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
