[opensuse] Re: Interactive Firewall Needed
On Fri, 08 May 2009 08:38:06 -0500, L. V. Lammert wrote:
But it is, only not on the client machine. Outgoing ports, if you need security, are managed at the upstream firewall/proxy.
If you truly wish to lock down network traffic, you only pass/proxy specific ports.
But Lee, you seem to be talking about corporate users. In a corporate environment, this is the norm, the network management team configures the firewall and they have the expertise to do so. Many home users don't even know why their router has a password on it, much less how to configure it properly. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Henderson wrote:
On Fri, 08 May 2009 08:38:06 -0500, L. V. Lammert wrote:
Many home users don't even know why their router has a password on it, much less how to configure it properly.
And many others "Didn't know the gun was loaded". Really, Jim, this line of reasoning to the lowest common denominator gets you nowhere. If this job can't be managed by Joe Sixpack, then it should go the way of automotive maintenance, furnace repair, and major plumbing work; namely by companies doing this work professionally. Maybe your ISP, but a third party would seem preferable. Imagine if instead of going to Best Buy to get a router you got a service, and the router was part of it. You take it home and you can do very little other than surf the web and send email, and only then with known protocols to known ports. Nothing else gets by the router, outbound or inbound. You want to steam music, you call them up, or visit their web page, and key in your code, select the option, and its turned on for you. No more worms. No more bots. People can either learn to manage stuff, or for those that can't or won't (such as those already part of a bot-net) they buy the service. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 08 May 2009 11:50:58 -0700, John Andersen wrote:
And many others "Didn't know the gun was loaded".
Really, Jim, this line of reasoning to the lowest common denominator gets you nowhere.
It's not "lowest common denominator reasoning" (though I can see why you think that), it's using multiple tools to create a layered security model. A firewall by itself (or anti-virus by itself, or a password by itself) isn't a strong security model no matter how you slice it. A userless model would be ideal but also pretty useless (since what's the point in having a system that nobody uses?). So the idea here is: 1. Use a firewall. Firewalls are good, and the firewall included with openSUSE does a great job of keeping stuff out that should be kept out. 2. Use anti-virus. If you use your system in a way that needs it (like running lots of stuff through WINE or as a mail forwarder where the destination mailboxes would be read by people running Windows). 3. Prevent applications that shouldn't be connecting outbound from connecting outbound. Just IN CASE something gets past the firewall and AV software. There are many different attack vectors that can be used. I honestly don't understand why some people are so vehemently opposed to implementation of a multi-layered security model. In any corporate environment where security is taken seriously, you need to pass a receptionist on the way into the work space. If the receptionist is away, that doesn't mean that someone who walks through the lobby and into the rest of the office space can get into the computer room. There are additional barriers they need to get passed - locked doors, staff, etc. Protecting the "front door" of a system with a firewall has value, but it isn't the only way a system should be protected.
People can either learn to manage stuff, or for those that can't or won't (such as those already part of a bot-net) they buy the service.
I'm not aware of any such service existing. Are you? It's surprising to me when proponents of open source who talk about "choice being good" are then strongly resistant to choices being made available and saying "there's only one way to do this properly". Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 08 May 2009 21:09:25 Jim Henderson wrote:
3. Prevent applications that shouldn't be connecting outbound from connecting outbound. Just IN CASE something gets past the firewall and AV software.
and this is what I keep telling you, but you don't seem to want to understand: if you get to this point, *you've already lost the game*! There is no point in continuing. Format your hard drive, insert two nickels, and good luck in your next try Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 08 May 2009 21:11:39 +0200, Anders Johansson wrote:
3. Prevent applications that shouldn't be connecting outbound from connecting outbound. Just IN CASE something gets past the firewall and AV software.
and this is what I keep telling you, but you don't seem to want to understand: if you get to this point, *you've already lost the game*!
I don't completely disagree, but at the same time, in my experience, there is value to evaluating the damage and determining a course of action. Sometimes the system can be salvaged. But more to the point, if you get to that point *and don't know that you're there*, then you don't know that you need to take corrective action, whatever it is. So having something there that tells you "hey, something got through your firewall that maybe you don't know about" has value as well. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Anders Johansson -
Jim Henderson -
John Andersen