Hello, On Aug 3 11:19 Rob Davies wrote (excerpt):
On 3 August 2011 08:31, Johannes Meixner <jsmeix@suse.de> wrote:
If you use services in your internal network, you cannot protect them with firewalls inside your internal network.
You can only protect your whole trusted network with a firewall at the borderline of your trusted network.
If the protection at the borderline fails you are basically doomed.
Actually I arranged to explicitly enable host IP addresses requiring access, detecting "unauthorised" accesses. Furthermore I took advantage of the subnetting. ... You can for instance arrange for a peer's DNS or NTP server UDP packets to pass, but generally block UDP on that interface as illegitimate.
I wonder why you seem to use firewalls inside your internal network to do this (i.e. with firewalls running on each host in the internal network)? Why don't you do this with a firewall at the borderline of your internal network (i.e. with a dedicated firewall machine that protects your whole internal network)? If a malicious user is inside your internal network neither explicit IP address requirements nor subnetting nor blocking what goes into your internal network helps. Therefore I still think that if the protection at the borderline fails you are basically doomed. As far as I understand what we are talking about, the issue is about opening ports for services which are used in a trusted network on firewalls which run on hosts in the trusted network. We do not talk about if it makes sense to have a firewall at the borderline of the trusted network. But - as far as I understand it - we talk about if it makes sense to have a firewall running on hosts in a trusted network. Furthermore it seems we talk about what is meant with "trusted".
From my point of view "trusted" means: http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
A trusted network means that you trust all users who can access this network. ------------------------------------------------------------------ If something else is meant with "trusted", (e.g. a network where childs install arbitrary software or where arbitrary guests can connect their personal computers or a university network where arbitrary students try to find out who is "the greatest hacker") then such a network is not a trusted network from my point of view. Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org