Re: SCO 5.0.7 AS FIREWALL

• Previous message: Tony Lawrence: "Re: SCO 5.0.7 AS FIREWALL"
• In reply to: Tony Lawrence: "Re: SCO 5.0.7 AS FIREWALL"
• Next in thread: Jeff Liebermann: "Re: SCO 5.0.7 AS FIREWALL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 24 May 2005 23:05:06 GMT

In article <cNidnRmREdaRPA7fRVn-iQ@comcast.com>,
Tony Lawrence <foo@pcunix.com> wrote:
>Jean-Pierre Radley wrote:
>> pablo hernandez typed (on Tue, May 24, 2005 at 01:37:37PM -0700):
>> | Jean-Pierre Radley <jpr@jpr.com> wrote in message news:<20050523205840.GC14018@jpradley.jpr.com>...
>> | > pablo hernandez typed (on Mon, May 23, 2005 at 01:28:26PM -0700):
>> | > | "Mainak Yajnik" <yajnikmp@gmail.com> wrote in message news:<1116860194.547203.244810@g44g2000cwa.googlegroups.com>...
>> | > | > Dear Group:
>> | > | >
>> | > | > In my last thread I was unable to configure the box acting as router.
>> | > | > Well with the groups help I was able to do the needful.
>> | > | >
>> | > | > A special Thanx to Mr. Tony (aplawrance.com) & JP for helping me achive
>> | > | > my target.
>> | > | >
>> | > | > Apprently I found my server is accessible from Internet and is security
>> | > | > hazard for my organisation.
>> | > | >
>> | > | > I want to block Telnet on the server. I have already configured SSH and
>> | > | > is working fine.
>> | > | >
>> | > | > I also want to have the server to give me secure ftp login.
>> | > | >
>> | > | > My current Security setting of SCO box is set to Traditional.
>> | > | >
>> | > | >
>> | > | > Mainak
>> | > |
>> | > | In my opinion is better to install a hardware firewall like zysell on
>> | > | the WAN side , then is easy to configure it to only access some
>> | > | services.
>> | >
>> | > Why is it any harder than doing it with ipf?
>> |
>> | In my humble opinion , an external wall cuts all WAN activity , but
>> | host can still serve the LAN .
>> | On the conceptual side , an externall wall is better thatn joining the
>> | wall and castel .
>> |
>> | but this is only my humble opinion
>>
>> OK, I understand your point of view, but my question was why the
>> conjoined wall is harder to configure than the separate wall? :-)

>By default, most firewall appliances pass nothing inward that did not
>originate inside. If indeed there is nothing you want initiated from
>outside, you have no configuration other than its two addresses.

>I absolutely agree that an external hardware firewall is easier.
>Of course, I'm a fruitcake, so I run both an external hardware
>fw and an internal hw firewall AND disable the services I don't
>want. On top of that I'll add anything like pam that can give
>me extra protection for the services I'm not running, that are
>blocked by software fw rules, and that aren't set to pass through
>the hw firewall anyway.. as I said, fruitcake.

And external firewalls now tend to go for cheaper and we don't see
as many designed to what most of the original HW firewall were.

Basically you have the outside, the machine protected by the
bastion firewall in the middle, and then all your local machine
on the inside. That means that if you run a webserver in the
middle and someone breaks it, they still won't be able to get
to the protected machines. Now that multi-port NICs are quite
affordable implmenting a HW solution is less complex.

GTA [I know the people there but I try to be neutral in my
comments] can sell you their SW and you can build your own,
or you can buy a premade device. It's one device that gives
what you are doing with two hardware firewalls.

And you aren't being a fruitcake, but building a system in the way
that used to be highly recommneded, before too many people said
"that costs too much". In the end fixing one intrusion is usually
far more expensive than really good HW devices.

>My purpose is simply to protect myself from my own stupidity (an
>abundant supply of that is always stocked), though it does help that I
>can upgrade or temporarily disable any component without worrying much
>about what will happen. On the con side, when I do want to let
>something in, it becomes a real PITA - but it should be, imho. I had
>quite an argument about just this subject recently: see
>http://aplawrence.com/Security/valuefirewalls.html

If you've really found a way to protect from admin stupidity you
should be making MILLYUNS and MILLYUNS. :-)

And if you have a 3-port HW device, configuring what you want to
let in is a lot easier, and the tools are usually pretty decent.

Bill

-- 
Bill Vermillion - bv @ wjv . com

• Previous message: Tony Lawrence: "Re: SCO 5.0.7 AS FIREWALL"
• In reply to: Tony Lawrence: "Re: SCO 5.0.7 AS FIREWALL"
• Next in thread: Jeff Liebermann: "Re: SCO 5.0.7 AS FIREWALL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]