Re: Advice on a firewall distro
- From: David Brown <david@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Dec 2006 15:27:30 +0100
Davide Bianchi wrote:
On 2006-12-15, David Brown <david@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:I'm planning an update for the firewall and routing in our company<zap>together something that can be mostly administered by a web interface,<zap>
whenever I heard the term 'firewall' and 'web interface' in the same
sentence something make me want to puke...
I guess I did ask for this kind of comment!
I understand that attitude, and I would rule out anything that *required* a web interface. To me, a web interface is a nice front end to the configuration files and log files. If the web interface makes my job easier, then that's a good thing - assuming the cost in security or reliability is not noticeable. I want to be able to make configuration changes that suit *my* requirements, not just those the web interface designer thinks I want - but I also appreciate being able to make standard settings in a web browser's text box without having to study man pages. I want to be able to look through log files - but ready-made graphs give me useful information quickly.
I'd also like to run a few services on the firewall machine - web proxy,
Bad idea. The firewall must do the firewalling and nothing else. Have
servers behind it provide the 'services' and let the firewall do what he is
supposed to do: keep bad things out.
Again, I appreciate the arguments for minimising the services on the firewall. Fewer services means fewer security risks, and as a central connection in the network, it is vital that the firewall machine is not compromised. Services which require multiple user accounts (such as common email setups, or file sharing) are right out - there should be no accounts on a firewall machine for which logons are enabled, and for which the user name is guessable. But the heart of the firewall is the iptables setup - when that is correct, the risk to services on the firewall is the same as the risk if these services are on a different server (though the resulting damage may be greater). I'd expect that risk to be very close to zero - if it is not, then the service will not be running anywhere on my network.
Any security system is a balance between its security and reliability on one side, and its usefulness (including services to its users, and its ease of configuration, administration and maintenance, and to a lesser extent, costs) on the other. A block-everything and do nothing else firewall is one extreme, while an open network is another. I am not necessarily looking to maximize security outright - I'm looking to maximize security while having a useful placement of services.
On the other hand, it is quite possible that I'll keep the old ZyWall firewall between the internet and the new firewall, doing nothing but firewalling.
Thanks for your comments,
- Advice on a firewall distro
- From: David Brown
- Advice on a firewall distro
- Prev by Date: Advice on a firewall distro
- Next by Date: Re: Advice on a firewall distro
- Previous by thread: Advice on a firewall distro
- Next by thread: Re: Advice on a firewall distro