Hi, at home I use a modem connection to my provider and up to now have tcpd installed to do basic access restrictions. So my /etc/hosts.deny forbids in principle everything to the outside world. Is it really necessary to use instead a firewall for such dial-up connections? Which arguments could you find from Security point of view??? Actually I'd prefer to stick with this simple solution, but maybe someone has convincing arguments against this approach... Regards, Marko -- O _ O 0 0 ------------------m-\o/-m------------------------------------------ Dr. Marko K"aning Tel/Fax: +49-3834 554 442 / -3834 554 301 INP Greifswald email : kaening@inp-greifswald.de
So what happens to services whose access is not controlled by tcpwrappers. Say somehow you have mysqld runnign in the background. Anyone from the net would be able to access your system via mysql and if there was a vulnerability in it they could exploit it same would go for a service like sendmail etc. But an ipchains firewall with default to deny could be configured to only allow in those connections you need and by default block all other connections.
Actually I'd prefer to stick with this simple solution, but maybe someone has convincing arguments against this approach...
Regards, Marko
-- O _ O 0 0 ------------------m-\o/-m------------------------------------------ Dr. Marko K"aning Tel/Fax: +49-3834 554 442 / -3834 554 301 INP Greifswald email : kaening@inp-greifswald.de
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Actually I'd prefer to stick with this simple solution, but maybe someone has convincing arguments against this approach... So what happens to services whose access is not controlled by tcpwrappers. Say somehow you have mysqld runnign in the background. Anyone from the net would be able to access your system via mysql and if there was a vulnerability in it they could exploit it same would go for a service like sendmail etc. But an ipchains firewall with default to deny could be configured to only allow in those connections you need and by default block all other connections.
The basic premise of any type of security is defense in depth. Programers, maintainers, users, and network admins (like you) ALL make mistakes. One example is with openssh on SuSE 7.0 not being compiled with libwrap support.. That would be a maintainer problem, and you could be forgiven for setting up your hosts.access system and not testing whether sshd was actually denying the connections it should be... Running MySQL and not adding --skip-networking to /etc/rc.d/mysql if you don't need a network socket would be an example of a mistake made by you.. A buffer overflow would be a programming mistake.. everyone makes them, and that is why security consultants like myself (and half of the rest of the list) will have a very lucrative job for many years to come... The only way to defend against mistakes, both yours and others, is to put as many checks in as possible. Therefore, is you have a pop server that needs to only accept connections from a certain ip range(s) you would: a) Deny ALL, and allow the specific range with tcp wrappers b) Deny ALL, and allow the specific range with a host based firewall like SuSEfirewall c) Deny ALL, and allow the specific range with for frontline network firewall. (This is more likely to be something like FW-1, Gauntlet of PIX, but could be something simple like SuSEfirewall running on a standalone server) d) Deny ALL, and allow the specific range on your border router. (All but the cheapest of routers have at least some basic ACL capabilities) You can see how this would stop a problem with up to 3 of your 4 checks from compromising the security of your system... I hope that helped... Regards --- Nix - nix@susesecurity.com http://www.susesecurity.com
Hi, thanks for replies from all!
So what happens to services whose access is not controlled by tcpwrappers. Yes, that's the problem certainly. SHould be checked carefully.
Say somehow you have mysqld runnign in the background. Anyone from the net would be able to access your system via mysql and if there was a vulnerability in it they could exploit it same would go for a service like Yes, I do have that running, but well, inside mysql there is also access control where I deny access from all others except of me by default.
But an ipchains firewall with default to deny could be configured to only allow in those connections you need and by default block all other connections. Well, I understood the same thing from the other posts.
I should go for it. Thanks again. Marko
On Tue, 27 Feb 2001 13:41:04 +0100 (MET), you wrote:
Hi,
at home I use a modem connection to my provider and up to now have tcpd installed to do basic access restrictions. So my /etc/hosts.deny forbids in principle everything to the outside world.
Is it really necessary to use instead a firewall for such dial-up connections?
Which arguments could you find from Security point of view???
Actually I'd prefer to stick with this simple solution, but maybe someone has convincing arguments against this approach...
Basically for tcpd to take effect the "protected" service need to be: 1) Compiled against libwrap (standalone method) or 2) use tcpd command in /etc/inetd.conf (ined method) Nevertheless a fw always take effect if it's correctly configured (you can use a deny default policy, eg). Why don't you use both (fw & tcpd)? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (4)
-
Marko Kaening -
Nix -
RoMaN SoFt / LLFB!! -
semat