Hello, On Aug 3 10:14 jdd wrote (excerpt):
Le 03/08/2011 09:55, Johannes Meixner a écrit :
And opening a daemon's port makes the firewall useless for this daemon and you must rely on that this daemon has no bugs.
yes
This is what I liked to point out all the time.
If childs are installing trojans or when guests connect cracked computers in your trusted network, you are doomed.
that's a reason to have a firewall in every computer :-)
Of course "to be on the safe side you should not switch off the firewall".
Therefore you must separate your trusted network from the rest of your network and no longer let such childs and guests in your trusted network.
this is not always (often) possible. We have to share the printer, for example, to come back to the thread object.
When non-trusted users should be able to use your printing service you may have the CUPS server in the non-trusted network. When you need trusted printing, you cannot let non-trusted users also access your printing service. This means you would have to buy a second printer. Of course for a home network this is probably overkill. Usually you set up something wich provides reasonable security for your particular environment. But for a company network, it should not matter to pay the price for a separated printer for the separated network for guests.
It's also why I prefere to have a network printer
In this case you rely on that the services which run on your network printer have no bugs. Have in mind that nowadays network printers run several web-services like a HTTP server, often a FTP server, often several other services too. If a malicious user can compromise the services which run in your network printer or if a malicious user can even replace the whole software which is in your network printer (e.g. via firmware upload), you have a full network capable device in your internal network which can be remote controlled by the malicious user. When a device looks like a printer, acts like a printer, and sounds like a printer, that device could be a computer. You may Google for "network printer security risk". Happy frightening! ;-) Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH -- Maxfeldstrasse 5 -- 90409 Nuernberg -- Germany HRB 16746 (AG Nuernberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer