Hello, On Aug 3 09:27 jdd wrote (excerpt):
Le 03/08/2011 09:15, Johannes Meixner a écrit :
Of course there are particular cases where opening a particular port makes sense but in general opening ports make the firewall useless.
A port opening break security only if the daemon listening have bugs, isn't it?
Exactly. And opening a daemon's port makes the firewall useless for this daemon and you must rely on that this daemon has no bugs.
The problem of "trusted" networks in home or small company network is childs and guests.
Most of the time the network is really to be trusted, but childs may accidentally break the security (installing trojan) or hack for fun.
Guests may also come home with cracked computers and ask for connection.
When you let childs and guests in your trusted network, you must trust the childs and guests. If you do not trust the childs and guests, you must not let them in your trusted network. If childs are installing trojans or when guests connect cracked computers in your trusted network, you are doomed. Therefore you must separate your trusted network from the rest of your network and no longer let such childs and guests in your trusted network. http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings --------------------------------------------------------------------- A trusted network means that you trust all users who can access this network. A user who can connect a computer to a network (e.g. a laptop where the user can work as "root") can send and receive any network traffic. Such a user can eavesdrop on the network and he can also fake any server machine in the network (except additional network switch hardware with an appropriate setup limits the user's network access). ... your trusted internal network traffic must be separated from the other non-trusted network traffic. The best way to get different kind of network traffic separated is when different networks are used. The simplest and most secure solution to maintain separated networks is when separated network hardware is used. ... The basic idea to increase likelihood that your network security is doomed is to mix up trusted and non-trusted network traffic in one same network environment. Save money and use the same network hardware for trusted and non-trusted network traffic and as a consequence pay with an increased likelihood that your network security is doomed --------------------------------------------------------------------- Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer