RE: [suse-security] Is it iptables enough?
SuSEFirewall is just an administration wrapper for iptables.
-----Original Message----- From: John [mailto:isofroni@cc.uoi.gr] Sent: Friday, January 30, 2004 12:49 PM To: suse-security@suse.com Subject: [suse-security] Is it iptables enough?
Is it iptables enough with the built-in firewall to secure a SL 9.0 box?
This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
Αρχικό μήνυμα από "Sturgis, Grant" <Grant.Sturgis@arraybiopharma.com>:
SuSEFirewall is just an administration wrapper for iptables.
-----Original Message----- From: John [mailto:isofroni@cc.uoi.gr] Sent: Friday, January 30, 2004 12:49 PM To: suse-security@suse.com Subject: [suse-security] Is it iptables enough?
Is it iptables enough with the built-in firewall to secure a SL 9.0 box?
This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
I want to strength the secure as much as possible. For example i want nobody can send a packet (tcp, icmp, udp, ...) to my machine except a known ip (say 10.10.10.1) Is iptables sufficient then, or can be cracked with an itelligent software?
Hi there, it must be clear to you, that there is never a 100% security, that's why actually nothing is "enought". It depends on how valuable your information is, but for normal use iptables will be sufficient to restrict access to a known IP. Just be aware that a lot of rules can be circumvented by IP-Spoofing or false MAC-addresses, but on the other side that is not easy to do either. Greetings, Ralf isofroni@cc.uoi.gr wrote:
I want to strength the secure as much as possible. For example i want nobody can send a packet (tcp, icmp, udp, ...) to my machine except a known ip (say 10.10.10.1)
Is iptables sufficient then, or can be cracked with an itelligent software?
Thanks Ralf. Definitely, mac spoofing is quite hard, isn't? Can iptables be cracked? What vulnerabilites exist regarding iptables? ----- Original Message ----- From: "Ralf Ronneburger" <ralf@ronneburger.de> To: <suse-security@suse.com> Sent: Monday, February 02, 2004 11:01 AM Subject: Re: [suse-security] Is it iptables enough?
Hi there,
it must be clear to you, that there is never a 100% security, that's why actually nothing is "enought". It depends on how valuable your information is, but for normal use iptables will be sufficient to restrict access to a known IP. Just be aware that a lot of rules can be circumvented by IP-Spoofing or false MAC-addresses, but on the other side that is not easy to do either.
Greetings,
Ralf
isofroni@cc.uoi.gr wrote:
I want to strength the secure as much as possible. For example i want nobody can send a packet (tcp, icmp, udp, ...) to my machine except a known ip (say 10.10.10.1)
Is iptables sufficient then, or can be cracked with an itelligent software?
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----Original Message----- From: John [mailto:isofroni@cc.uoi.gr] Sent: 02 February 2004 12:05 To: suse-security@suse.com Subject: Re: [suse-security] Is it iptables enough?
Thanks Ralf.
Definitely, mac spoofing is quite hard, isn't?
Doesn't look like it..... http://www.alobbs.com/modules.php?op=modload&name=macc&file=index Tom.
John wrote:
Thanks Ralf.
Definitely, mac spoofing is quite hard, isn't?
Depending on the hardware, it's not difficult at all. See the -H option at: http://www.scyld.com/diag/
Can iptables be cracked? What vulnerabilites exist regarding iptables?
Is any software perfect? -- Until later, Geoffrey Registered Linux User #108567 Building secure systems inspite of Microsoft
Hi, Geoffrey wrote:
John wrote:
Definitely, mac spoofing is quite hard, isn't?
Depending on the hardware, it's not difficult at all. See the -H option at:
no other tool than ifconfig necessary: from man ifconfig hw class address Set the hardware address of this interface, if the device driver supports this operation. The keyword must be followed by the name of the hardware class and the printable ASCII equivalent of the hardware address. Hardware classes currently supported include ether (Ethernet), ax25 (AMPR AX.25), ARCnet and netrom (AMPR NET/ROM). So, 'ifconfig hw ether [adress]' works for me ;-) GTi
On Mon, 2 Feb 2004, Geoffrey wrote:
John wrote:
Thanks Ralf.
Definitely, mac spoofing is quite hard, isn't?
Depending on the hardware, it's not difficult at all. See the -H option at:
Mac spoofing is quite easy to do. It can easily be accomplished even by amateurs. Most low end firewalls and routers offer it as a feature to circumvent PPOE restrictions on single MAC addresses.
Can iptables be cracked? What vulnerabilites exist regarding iptables?
I am not aware of any documented case of IP Tables failing. It's easy to misconfigure your firewall script, however. IPTables operates at the kernel level, and it's conceiveable that some clever shithead could write a kernel module that alters IPTables' behavior in a way that nullifies it's protection of your server. Remember, a rootkit gives anyone who accesses it absolute power over the server to do anything they want, including poisoning your detection mechanisms. There is no such thing as perfect security. The best you can hope for is "adequate", and adequate is defined on a constantly changing sliding scale. Additionally, most of the time confirmation that your security policy is inadequate or insufficient comes after a breakin. Apply the tightest policy your users and management will allow, and constantly push for tighter control of the network. You will not regret it. -- -linux_lad ICQ 115601915 pub key on request
----- Original Message ----- From: "-linux_lad" <john@linuxlad.org> To: "Geoffrey" <esoteric@3times25.net> Cc: <suse-security@suse.com> Sent: Monday, February 02, 2004 7:55 PM Subject: Re: [suse-security] Is it iptables enough?
On Mon, 2 Feb 2004, Geoffrey wrote:
John wrote:
Thanks Ralf.
Definitely, mac spoofing is quite hard, isn't?
Depending on the hardware, it's not difficult at all. See the -H option at:
Mac spoofing is quite easy to do. It can easily be accomplished even by amateurs. Most low end firewalls and routers offer it as a feature to circumvent PPOE restrictions on single MAC addresses.
Can iptables be cracked? What vulnerabilites exist regarding iptables?
I am not aware of any documented case of IP Tables failing. It's easy to misconfigure your firewall script, however. IPTables operates at the kernel level, and it's conceiveable that some clever shithead could write a kernel module that alters IPTables' behavior in a way that nullifies it's protection of your server. Remember, a rootkit gives anyone who accesses it absolute power over the server to do anything they want, including poisoning your detection mechanisms.
There is no such thing as perfect security. The best you can hope for is "adequate", and adequate is defined on a constantly changing sliding scale. Additionally, most of the time confirmation that your security policy is inadequate or insufficient comes after a breakin.
Apply the tightest policy your users and management will allow, and constantly push for tighter control of the network. You will not regret it.
-- -linux_lad ICQ 115601915 pub key on request
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Allright, how can an attacker detect the mac address that i permit to connect to my system (or even an ip address (ip spoof))? Is there any tool or tecknik, or something like that? Thanks in advance!
Hi John, that's also perfectly easy unless your 2 boxes are connected with a cross-over-cable directly, but then you wouldn't need iptables ;-). The packages have to go through some hubs, switches or routers and there are always ways to find out who's talking to whom. As I said - it just depends on how valuable the information transfered is and on how good it's protected. But to be not too paranoid (although there is no such thing as being too paranoid) - for most cases to filter by IP and MAC-Address should be perfectly suited, if you're not running bank-transfers over it ;-). Greetings, Ralf John wrote:
----- Original Message ----- From: "-linux_lad" <john@linuxlad.org> To: "Geoffrey" <esoteric@3times25.net> Cc: <suse-security@suse.com> Sent: Monday, February 02, 2004 7:55 PM Subject: Re: [suse-security] Is it iptables enough?
On Mon, 2 Feb 2004, Geoffrey wrote:
John wrote:
Thanks Ralf.
Definitely, mac spoofing is quite hard, isn't?
Depending on the hardware, it's not difficult at all. See the -H option
at:
Mac spoofing is quite easy to do. It can easily be accomplished even by amateurs. Most low end firewalls and routers offer it as a feature to circumvent PPOE restrictions on single MAC addresses.
Can iptables be cracked? What vulnerabilites exist regarding iptables?
I am not aware of any documented case of IP Tables failing. It's easy to misconfigure your firewall script, however. IPTables operates at the kernel level, and it's conceiveable that some clever shithead could write a kernel module that alters IPTables' behavior in a way that nullifies it's protection of your server. Remember, a rootkit gives anyone who accesses it absolute power over the server to do anything they want, including poisoning your detection mechanisms.
There is no such thing as perfect security. The best you can hope for is "adequate", and adequate is defined on a constantly changing sliding scale. Additionally, most of the time confirmation that your security policy is inadequate or insufficient comes after a breakin.
Apply the tightest policy your users and management will allow, and constantly push for tighter control of the network. You will not regret it.
-- -linux_lad ICQ 115601915 pub key on request
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Allright, how can an attacker detect the mac address that i permit to connect to my system (or even an ip address (ip spoof))?
Is there any tool or tecknik, or something like that?
Thanks in advance!
-- ------------------------------------------------------------ Ralf Ronneburger ralf@ronneburger.de Prefers to receive encrypted Mail, download public-key from http://www.ronneburger.de/gpg/ralf_ronneburger.asc ------------------------------------------------------------ " The trouble with computers is that they do what you tell them, not what you want. " -- D. Cohen ------------------------------------------------------------
participants (8)
-
-linux_lad -
Geoffrey -
isofroni@cc.uoi.gr -
John
-
Martin Peikert -
Ralf Ronneburger -
Sturgis, Grant -
Tom Knight