Mailinglist Archive: opensuse-factory (808 mails)
| < Previous | Next > |
Re: [opensuse-factory] Integration of firewalld?
- From: Rob Davies <rob.opensuse.linux@xxxxxxxxx>
- Date: Tue, 9 Aug 2011 07:18:47 +0100
- Message-id: <CAKeeO4e+C7och2RJK3jedBabv0gh3_iZjXCC8y-G1D7MH_Es0w@mail.gmail.com>
On 3 August 2011 13:03, Johannes Meixner <jsmeix@xxxxxxx> wrote:
The problem seems to be you are thinking of "firewall", whereas I
answered a question about why you may want to filter packets or
restrict access to services, in what is meant to be a "trusted"
network.
If you are in a large corporate network, then other people in other
departments may be in charge of the corporate Internet "firewall", you
cannot "balkanise" physically and branch offices require connection to
services; because the infrastructure is shared for cost, flexibility &
practical reasons. Modems may be less common now, but such was a
possibility for subverting a corporate firewall, perhaps VPN's are
more common now a days.
The "trusted" vs "external" is as I think I said before too black &
white and fails in real world situations, where not every employee is
impeccable and departments can have conflicts of interest. For
example one department may be spun off and sold to commercial rival of
another part of the corporation. Furthermore one department may
minimise disruption, whereas another that's open and poorly
administered may be completely compromised.
These are things I have personally experienced, it's the real world.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
I wonder why you seem to use firewalls inside your internal network
to do this (i.e. with firewalls running on each host in the internal
network)?
Why don't you do this with a firewall at the borderline of your
internal network (i.e. with a dedicated firewall machine that
protects your whole internal network)?
If a malicious user is inside your internal network
neither explicit IP address requirements nor subnetting
nor blocking what goes into your internal network helps.
The problem seems to be you are thinking of "firewall", whereas I
answered a question about why you may want to filter packets or
restrict access to services, in what is meant to be a "trusted"
network.
If you are in a large corporate network, then other people in other
departments may be in charge of the corporate Internet "firewall", you
cannot "balkanise" physically and branch offices require connection to
services; because the infrastructure is shared for cost, flexibility &
practical reasons. Modems may be less common now, but such was a
possibility for subverting a corporate firewall, perhaps VPN's are
more common now a days.
The "trusted" vs "external" is as I think I said before too black &
white and fails in real world situations, where not every employee is
impeccable and departments can have conflicts of interest. For
example one department may be spun off and sold to commercial rival of
another part of the corporation. Furthermore one department may
minimise disruption, whereas another that's open and poorly
administered may be completely compromised.
These are things I have personally experienced, it's the real world.
Rob
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |