Re: NTP, ntpdate, and ISP-based firewall
From: Jeff Vian (jvian10_at_charter.net)
Date: 03/05/04
- Previous message: Alexander Dalloz: "RE: Accompanying SpamAssassin FC1 packages"
- In reply to: Bevan C. Bennett: "Re: NTP, ntpdate, and ISP-based firewall"
- Next in thread: Alexander Dalloz: "Re: NTP, ntpdate, and ISP-based firewall"
- Reply: Alexander Dalloz: "Re: NTP, ntpdate, and ISP-based firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: fedora-list@redhat.com Date: Thu, 04 Mar 2004 18:46:47 -0600
Bevan C. Bennett wrote:
> jdow wrote:
>
>> A professional computer criminal might check some of the more oddball
>> ports and discover something. <enh> So it happens. I still have formal
>> barriers beyond the basic firewall. If each attacker has say a
>> probability
>> p of penetrating the internal barriers and a probability of b of
>> deciding
>> that the void he probed was really something ripe for more probing then
>> I've reduced my probability of getting hacked by b. If b is 1 in 10 and
>> p is one in 1 in 1000 then the combined probability that the NEXT layer
>> will be probed is reduced to about 1 in 10,000. Proper defense is built
>> in layers like an onion. I'm not invulnerable here. But I've worked to
>> reduce the risk by every reasonable factor I can control.
>
>
> Layered defenses are indeed the correct way to build up security.
>
> If your system is truly 100% passive and offers no services at all
> then favoring DROP over REJECT can offer you some extra stealth at the
> expense of the ability to easily debug problems through the standard
> mechanisms like ping, traceroute and tcpdump. If you are providing at
> least one service on the system, then using DROP won't help hide you
> against a simple scan (no professional required) and all your choice
> does is make your system standards-unfriendly.
>
> It doesn't make me more of a target to return 'ICMP prohibited'
> packets in reply to probes at prohibited ports. On the contrary it
> probably makes me less of a target because I clearly have active
> security measures in place.
>
>> Obscurity is no defense; but, obscurity times firewall times tcpwrapper
>> times passwords times internal firewalls times yatta and more yatta yet
>> is better than without the obscurity, eh?
>
>
> If the obscurity only gives you a false sense of security, while
> impairing your own ability to monitor and debug your configuration,
> then it is indeed better without the obscurity.
>
> Put a firewall in front of your local network.
> Run host-based firewalls like iptables.
> Use secure protocols whenever possible.
> Run daemons chrooted when possible, and minimize the daemons you run.
> Use tcpwrappers to further limit access to the daemons you do run.
>
> All these are good layers that do add to your security. Refusing to
> answer pings doesn't really add much, and just makes your server seem
> rude. ;)
>
so by your definition, these hosts are rude???? (many more examples
available)
[jeff]$ ping www.mysql.com
PING www.mysql.com (66.35.250.190) 56(84) bytes of data.
--- www.mysql.com ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms
[jeff]$ ping www.redhat.com
PING www.redhat.com (66.187.232.50) 56(84) bytes of data.
--- www.redhat.com ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5018ms
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
- Previous message: Alexander Dalloz: "RE: Accompanying SpamAssassin FC1 packages"
- In reply to: Bevan C. Bennett: "Re: NTP, ntpdate, and ISP-based firewall"
- Next in thread: Alexander Dalloz: "Re: NTP, ntpdate, and ISP-based firewall"
- Reply: Alexander Dalloz: "Re: NTP, ntpdate, and ISP-based firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
