 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Thu, Sep 27, 2012 at 06:09:02PM +0000, Edward Ned Harvey (blu) wrote: > > From: Derek Martin [mailto:invalid at pizzashack.org] > > > > You can't attack a service that isn't > > there, or can't hear you. > > Why do we care about having a firewall at all? Why don't we just > shut off services that aren't necessary? That is a fine question. For a single box on a single network connection, running only one service, you do not need a firewall. The only thing that's potentially vulnerable is the one service, and you're already allowing it through. Well, OK, there might be some exotic IP stack bug that causes the world to explode into love when you send it a packet on port 93432941 with just the right flags set, so you need it for that -- maybe. But then, what's so wrong with the world exploding into love? =8^) > To offer some protection against situations where you didn't intend > for a service to be on. On a professionally managed box? I hope not. Your admins should be able to figure out if they're running any services they didn't intend to, and that should be a condition for deploying your new server. Yes, it's an extra layer of protection, but if you're doing your job right, it doesn't really DO anything, except maybe make people feel better. > Or - Sometimes there will be a vulnerability in one service that > allows an attacker to create files on your system, while a > vulnerability in some other service allows an attacker to execute > code of some pre-existing file, etc. This is probably also not the reason you're running a firewall. Unless you're blocking all unnecessary outgoing connections (and probably even if you are), once an attacker is on your box, you've already lost. And how does your firewall stop an attacker from exploiting some local vulnerability? Firewalls are more generally useful because machines behind them also need to be able to talk to other machines behind them. So you run a firewall so that any other services they are running which are used internally (in your DMZ if you have one) are blocked externally. But it's far better to just not allow them to run other services, if you can avoid it. Ideally a web server should only ever run one service: the web service. But you probably need DNS, SSH, NTP, and some database connection... maybe on different hosts, maybe on the same host. That's what your firewall is trying to protect. And if you were really smart, you did also block all outgoing connections, except the specific ones you need, to the specific machines you need, and then maybe you really did block that attacker that got onto your box from doing anything too destructive. But almost no one does that... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
