Firewall Configuration Question... Is this possible?

Tim Patterson tim at linux.a-f.k12.mi.us
Wed Aug 3 00:49:17 CEST 2005


This wasn't meant to cause an outburst of security concerns...  I'm trying
to develop some custom software for a University that will allow remote
access to certain aspects of the firewall.  This is no more of a security
risk than an embedded web server inside a router that is used for
configuration.  

I work for a University...  a .edu in an e-mail address isn't humiliating,
it is an honor.  It's not my fault that a few .edu airheads ruined our rep.

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of R. DuFresne
Sent: Tuesday, August 02, 2005 2:04 PM
To: Jan Engelhardt
Cc: netfilter; /dev/rob0
Subject: Re: Firewall Configuration Question... Is this possible?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 2 Aug 2005, Jan Engelhardt wrote:

>
>> doable, but not adised, a firewall should be single purpose, most servers
>> should be single purpose where possible.  But then this is not often the
case.
>> But a firewall certainly should be a single purpose system much like a
router
>> is, they do similair work anyways.
>
> Having many servers has two disadvantages: Power consumption and
> administration expense (you gotta install and upgrade each of them).
> A "service split" [for load balance] is not bad, but you can also overdo
it.
>

security basics 101, servers have their single purpose.  Make monitoring 
for pathces for that specific service for that admin easier, makes for not 
a single point of failure, and is more important for the network choke 
points such as FW's.  Of course, I'm coming at this with a corporate 
perspective, not a little home network.



>> putting a web servers on the firewall makes the firewall and the whole
internal
>> network subject to any issues that the web services now face, plus you
now have
>> to allow naother set of ports/protocols directly to the system and not
merely
>
> You don't run a webserver with root.

Of course not, but surely you understand once a shell is gotten on a 
system getting root is ussually trivial, especially in nost default 
installs whence evertything and the kitchen sink go in.  Few folks 
actually do minimal installs these days, and many distributions of Linux, 
and I'm guessing a number of the *BSD's are a pain to inimalize.  Same is 
getting to be more and more true of the major vendored unix's as well.


As many have stated, it also depends upon your security posture, and the 
importance of what you are protecting.  No if I recall the admin in 
question that raised the issue had a .edu in their address.  They have 
been most notorious for *not*  doing the right thing and trying to 
"conserve" resources to the extenxt that they tend to be the bain of most 
corporate and hiome user systems/netowrks due to their usser exploiting 
easiliy the weaknesses that tend to be inherent in their design and 
deployment.  Ths my emphasis in this reguard in stating the better 
implimentation.  Now if you really wanna argue further these basics, I'd 
invite you to the firewal wizards list to talk about minimal security 
design implementaions and what does not work in actually trying to secure 
a network.

Thanks,

Ron DuFresne
<doable does not imply best practice>
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

....We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC77V6st+vzJSwZikRAieXAKCwkqu0TxY8ODhUCs9UzNh0h0h3rACfYNbR
/iE6/PiSusxtPlbMyHrE69Y=
=QeMp
-----END PGP SIGNATURE-----






More information about the netfilter mailing list