RE: Router question (was Re: postfix problems)
From: Kenneth Goodwin (kgoodwin_at_datamarktech.com)
Date: 09/05/03
- Previous message: David Hart: "Is anyone using Khttpd?"
- Maybe in reply to: Marc Adler: "Router question (was Re: postfix problems)"
- Next in thread: Jason Dixon: "Re: postfix problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <redhat-list@redhat.com> Date: Fri, 5 Sep 2003 09:00:19 -0400
> > One question I have that came out of this discussion is
> why are systems
> > behind routers safer? What kind of security does a
router provide?
>
> A router by itself does not provide any inherent
security. However:
>
> A standard router, such as a cisco 2501, can do port
> blocking, which can add
> some security.
>
> The devices which are marketed as "cable modem routers"
> often have Network
> Address Translation (NAT), which *does* add some
security.
> It makes it
> harder for the bad guys to hit your computer, as most of
the
> 'routers' are
> set only to allow inbound packets that are replies to
your outbound
> requests. (IPtables does this as well, but most of these
> 'routers' do it
> out of the box).
>
> Ben
Your best bet for a home setup is a true firewall/router and
the ones for home,
netgear, linksys, dlink for example
are actually Linux boxes from what I understand. Standard
routers, besides offering
port blocking to keep out "well known port" based attacks,
usually offer access control lists
which enhance standard port blocks by allowing you to
specify for all or any specific ports -
allowed IP addresses (host or network or CIDR),
Denied ip addresses (great for nailing known spammers from
RBL's and stopping them
from annoying your mail servers and firewalls)
Higher end routers (cisco 2600 and up) also offer enhanced
firewall capabilities and
tie ins with security servers.
A commercial enterprise trying to protect it's internal
assets would use a combination of devices each providing a
level of defense. (Depends on it's access needs and Internet
requirements)
Level 1 - Border Router (with or without basic firewall)
provides access control lists for specific port and/or ip
address blocking or acceptance.
provides first tier security through optional connection to
security server
(dynamic access control lists, lock and key access
controls (SecurID type systems)
keeps the port scanners and known creeps from penetrating
into the next level.
Level 2 - True firewall, with/without content filtering and
other security (IDS) servers
Provides backup and further tuned access control lists
provides intelligent access controls and attack detection
Can tie to IDS servers, etc for increased intelligence
Level 3 - Security servers
Ties in with Border routers and Firewalls
Can tie in with other servers
Should have own local firewall enabled restricting all
access
to just encrypted port connections from known local hosts -
firewalls and border routers.
Provides increased intelligence for detecting attack
profiles and intrsuion detection
and response.
Level 4 - Servers and desktops
Personal level firewalls restricting access as appropriate.
Antivirus, antispam, anti-spyware programs actively running
on both client and server.
Different manufacturers for each package - example -
Norton antivirus on the desktop, and Mcafee antivirus
running on the email server.
More than one anti-spyware package running as well.
Servers restricted and tuned to a specific task - DNS
server, email server, pop/imap server
database server, email hub and scanning
(antivirus/antispam)
Level 4.1 - Web servers
web servers should also be placed between two separate
firewalls in true DMZ
and preferrably on a different internet link. The outside
firewall controls
global access to your web farm, the inside firewall
restricts access to just the
specific porst and ip addresses of your web farm. All
servers in the web farm
shoudl also have local firewalls and IDS software.
This is sort of "the Embassy Defense System" - put as many
obstacles of increasing difficulty
between you and your attackers to give you time to detect
and curtail them before they can do
significant damage to your infrastructure.
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: David Hart: "Is anyone using Khttpd?"
- Maybe in reply to: Marc Adler: "Router question (was Re: postfix problems)"
- Next in thread: Jason Dixon: "Re: postfix problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
