Mailinglist Archive: opensuse-factory (808 mails)
| < Previous | Next > |
Re: [opensuse-factory] Integration of firewalld?
- From: Johannes Meixner <jsmeix@xxxxxxx>
- Date: Wed, 3 Aug 2011 09:55:54 +0200 (CEST)
- Message-id: <alpine.LNX.2.00.1108030936440.21493@nelson.suse.de>
Hello,
On Aug 3 09:27 jdd wrote (excerpt):
Le 03/08/2011 09:15, Johannes Meixner a écrit :
Of course there are particular cases where opening a particular port
makes sense but in general opening ports make the firewall useless.
A port opening break security only if the daemon listening have
bugs, isn't it?
Exactly.
And opening a daemon's port makes the firewall useless for this daemon
and you must rely on that this daemon has no bugs.
The problem of "trusted" networks in home or small company network
is childs and guests.
Most of the time the network is really to be trusted, but childs may accidentally break the security (installing trojan) or hack for fun.
Guests may also come home with cracked computers and ask for connection.
When you let childs and guests in your trusted network,
you must trust the childs and guests.
If you do not trust the childs and guests, you must not let them
in your trusted network.
If childs are installing trojans or when guests connect cracked computers
in your trusted network, you are doomed.
Therefore you must separate your trusted network from the rest
of your network and no longer let such childs and guests in your
trusted network.
http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
---------------------------------------------------------------------
A trusted network means that you trust all users who can access
this network. A user who can connect a computer to a network
(e.g. a laptop where the user can work as "root") can send
and receive any network traffic. Such a user can eavesdrop
on the network and he can also fake any server machine in the
network (except additional network switch hardware with an
appropriate setup limits the user's network access). ...
your trusted internal network traffic must be separated from the
other non-trusted network traffic. The best way to get different kind
of network traffic separated is when different networks are used.
The simplest and most secure solution to maintain separated networks
is when separated network hardware is used.
...
The basic idea to increase likelihood that your network security
is doomed is to mix up trusted and non-trusted network traffic
in one same network environment.
Save money and use the same network hardware for trusted and
non-trusted network traffic and as a consequence pay with
an increased likelihood that your network security is doomed
---------------------------------------------------------------------
Kind Regards
Johannes Meixner
--
SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany
HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer
| < Previous | Next > |