Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ipfilter security

0 views
Skip to first unread message

Fernando Ronci

unread,
Dec 23, 2002, 3:47:12 PM12/23/02
to
Hi,

Why do many "security" people (not here though) claim that the sole
use of ipfilter as a firewall is not enough, and that the whole
system's security can be compromised ?
In other words, they say natted machines on the LAN can be easily
reached from the outside.
I do think if the version of ipfilter used is not buggy and rules
properly configured, natted hosts are unreachable from the outside. Am
I wrong ?

Thank you,

Fernando Ronci
E-mail: fernan...@hotmail.com

Anthony Lawrence

unread,
Dec 23, 2002, 6:05:08 PM12/23/02
to
Fernando Ronci wrote:
> Hi,
>
> Why do many "security" people (not here though) claim that the sole
> use of ipfilter as a firewall is not enough, and that the whole
> system's security can be compromised ?

I'm not sure people have said exactly that.


For example, what I have said more than once is that I don't think
production servers should be directly attached to the net. I think they
should always be reached only through one or more other firewalls that
are doing nothing BUT act as a filter for the internal machines. That's
not to say that the internal machines shouldn't also be configured
securely (as though they were directly connected - in other words,
non-essential services shut off, security patches reasonably current,
packet filtering in place etc.).

There are several reasons I hold that opinion:

o More security is always better than less. Important resources should
have better protection.

o Internal servers are apt to lag behind in patches and OS updates
simply because such things may affect critical apps running theron.
Firewalls that do nothing but security won't be crippled by that need.

o Internal servers are apt to lag behind in patches and OS updates
because financial people don't want to spend money on something that
works. It's easier (and often cheaper for various reasons) to keep a
separate firewall up to date than an internal production server.

o Internal servers are more subject to accidental security problems such
as incorrect permissions. This is often done (again) in the interests
of making applications easier.

o Internal servers are quite apt to have dozens of accounts with weak
passwords. It's generally easier to enforce strong password policy for
external access. Such access can also be limited to only the accounts
that reallly need it. Joe has to login 2 or 3 times if he's coming in
remotely, but he won't usually object to that as much as having a long
internal password. And if he does object, it's an easier battle to fight.

o Internal servers are (obviously) already open for access to inside
people who can accidentally or on purpose open up more access by their
actions. It's often necessary or expedient to give relatively
unsophisticated users some system level access for routine maintenance.
Such access is not necessary on a dedicated firewall.

o Internal servers may need to advertise services that are dangerous on
the Internet. Yes, you can and should filter those services but even
better is not even have them ever get near the outside world in the
first place. If services are accidentally turned on, or local filter
rules forgot to account for the outside world, it won't matter if the
firewall is rigorously blocking everything that is not explicitly allowed.

I'm sure there is more others can add, but this should be enough. In my
opinion, it's just dumb to have an internal server with a public interface.


--
Tony Lawrence
Free Linux Skills Test: http://aplawrence.com/skillstest.html

gbur...@databasix.com

unread,
Dec 24, 2002, 9:49:52 AM12/24/02
to
Fernando Ronci <fernan...@hotmail.com> wrote:
> Hi,

> Why do many "security" people (not here though) claim that the sole
> use of ipfilter as a firewall is not enough, and that the whole
> system's security can be compromised ?

Unless you use IPFilter to block in and out on EVERY possible port, it's
not enough. Of course, with every possible port closed, you can't get to
the internet.

> In other words, they say natted machines on the LAN can beeasily \


> reached from the outside.
> I do think if the version of ipfilter used is not buggy and rules
> properly configured, natted hosts are unreachable from the outside. Am
> I wrong ?

Huh?

Tom Parsons

unread,
Dec 24, 2002, 11:17:06 AM12/24/02
to sco...@xenitec.on.ca
gbur...@databasix.com enscribed:

| Fernando Ronci <fernan...@hotmail.com> wrote:
| > Hi,
|
| > Why do many "security" people (not here though) claim that the sole
| > use of ipfilter as a firewall is not enough, and that the whole
| > system's security can be compromised ?
|
| Unless you use IPFilter to block in and out on EVERY possible port, it's
| not enough. Of course, with every possible port closed, you can't get to
| the internet.

There are two ways to configure ipfilter (and many other firewalls).

Block those services you don't want to allow in.
This method has never made sense to me but....
Block everything, then allow certain exceptions.

Any time you allow any service through the firewall there is a possibility
of an intruder. It is the administrators job to minimize that risk.

If you are running a smptserver, you almost have to leave it open to the
world.

If you want to allow ssh access or access to other ports from certain clients,
don't write a rule that allows access from the entire world, write rules that
restrict access to each clients ip address.

It doesn't make a lot of sense to run tcp wrappers behind the firewall
unless you cannot sufficiently restrict the port at the firewall.
By the time a intruder gets to tcp wrappers or other internal filtering
program, he is already inside your firewall.

--
==========================================================================
Tom Parsons t...@tegan.com
==========================================================================

Gary L. Burnore

unread,
Dec 24, 2002, 8:28:40 PM12/24/02
to
On Tue, 24 Dec 2002 16:17:06 GMT, Tom Parsons <c...@tegan.com> wrote:

>
>It doesn't make a lot of sense to run tcp wrappers behind the firewall
>unless you cannot sufficiently restrict the port at the firewall.
>By the time a intruder gets to tcp wrappers or other internal filtering
>program, he is already inside your firewall.

I disagree with this, Tom. It's better to do both. Especially if you,
as the admin, aren't also the firewall person too. You can't know what
mistake they might make or what bug someone might find through the
firewall. You've got to protect the data on the server as if no
firewall existed.


0 new messages