Securing ports/services-tcp wrappers vs. config files/iptables

[Ken Arnold]

First thanks in advance for any responses. I wanted to get some
opinions on securing services in linux. Right now, my boss wants me to
use tcp wrappers to secure things. This works, but as far as I know,
this isn't really the way things are done now. Apache, Samba, and I'm
sure others have security rules (allow from, allow/deny) in the config
file and it seems that more and more people are using iptables to secure
access.

Are tcp wrappers still widely used or is it better to secure things
via the config files and/or iptables? Thanks.

Ken.

[Moe Trin]

In article <yuYZd.36500$5T6....@bignews4.bellsouth.net>, Ken Arnold wrote:

>Right now, my boss wants me to use tcp wrappers to secure things.

If the boss wants you to use tcp_wrappers, then it's probably a good
idea as far as job future is considered.

>This works, but as far as I know, this isn't really the way things are
>done now. Apache, Samba, and I'm sure others have security rules (allow
>from, allow/deny) in the config file and it seems that more and more people
>are using iptables to secure access.

The other minor problem is that some applications are not (by default)
either using tcp_wrappers or are not compiled with libwrap. The tcp_wrappers
configuration files are useless for them.

>Are tcp wrappers still widely used or is it better to secure things
>via the config files and/or iptables?

Yes. ;-) A lot depends on what you are trying to do. We use
firewall rules at the perimeter, so many (if not all) applications don't
even see the connection. The visible systems are in the DMZ, and have some
additional firewalling done there. The internal systems are behind still
another firewall, and (if the application is aware of tcp_wrappers) may
also have a hosts.allow entry or a configuration access control, or in a
few cases both. To some extent, it's efficiency, or precision of control
that is the deciding factor.

Old guy