Re: DSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I concur completely with your statements.  While it is possible to
configure a linux system to act as your firewall such a system must be
hardened as much as possible.  To me that means you don't load anything
but the bare minimum of packages needed to perform the firewall function
and disable all ports that are not required by the firewall.  And such a
system must be monitored constantly for any signs of tampering.  One of
the low cost hardware firewalls, such as linksys, netgear, or any of the
others provides a dedicated box that performs its function well.  Keep
your linux system on the inside were you can load any of the latest
packages or tools that you want to play with knowing that you are
protected fairly well by the dedicated firewall.  

And as you pointed out your entire network is not deprived of Internet
access when you want to reboot your machine after applying the latest
kernel patch (once you can get it downloaded).  Or after you have
applied that latest patch and your system becomes unstable you will
still be able to access the network with another box to get the
information needed to get the system back in operation.  

This is not to say that the cheap firewalls are fool proof but because
they are so simple there is not much that can go wrong with them.  And
while I have built many servers with lots of services loaded on them I
still believe utilizing dedicated machines for critical functions is the
best way to go.  When something goes wrong it is much easier to trouble
shoot a machine that has just one or two major functions than one that
runs email, dns, ntp, oracle, apache, samba, print services, file
sharing, lotus notes (built 43 of these beasts at one job with all that
stuff).  And when that machine goes south only a couple of parts of your
enterprise is affected instead of every major service. Also makes it
easier to get those services up and running on a temporary machines
quickly.

On Mon, 2003-07-21 at 22:52, Ed Wilts wrote:
> On Mon, Jul 21, 2003 at 07:36:59PM -0700, Joe wrote:
> > Ed Wilts wrote:
> > 
> > >My recommendation would be to buy something like a Linksys router if you
> > >can afford it and put it between the DSL modem and the Linux system.
> > >The Linksys offers two things - a switch with NAT functionality to
> > >support other systems in your house, and a firewall that's on by
> > >default.  Until you get comfortable configuring Linux in an always-on
> > >environment, it's nice to have a low-cost firewall that does the basics
> > >for you.
> > >  
> > IMHO if you've got a linux box you've already got a much more 
> > sophisticated and flexible router than a linksys could ever be - the 
> > linux box can be the router/firewall, vpn server, dns server, mail 
> > server, web/ftp server, dhcp server and more - but it's pretty easy to 
> > set linux up just as as a basic nat firewall, and it's a good way to learn.
> 
> The Linux system can certainly do it, but it's not ideal for me - your
> mileage, of course, will vary.  My Linux system is my dns server, mail
> server, and ftp server (and more).  It's not my firewall since it can be
> rebooted any time and the rest of my systems still work.  I used to have
> my Linux system be the gateway.  It didn't suit my purposes, but I know
> that many people do like it setup that way.  Whatever works for you.  I
> don't disagree that Linux is more flexible and sophisticated, but that's
> also its shortcoming - it's so powerful and sophisticated that most
> people can't drive it properly as evidenced by the many iptables and
> ipchains questions I've seen over the years.
> 
> I also don't like the idea of having critical services on a firewall
> system.  One system is breached, and the attacker is in.  With my
> config, the attacker has to breach 2 separate systems to get anywhere.
> Yes, I could have a separate Linux system, and I've run that config too.
> It's yet another system to manage and keep up to date with security
> patches, maintain backups, etc. and a full system takes more heat and
> power.  My Linksys firewall could die and be replaced with a quick trip
> to one of the local computer stores.  If the Linux system fails, it
> could potentially be a lot more work (no mirroring on this system, for
> example).  The Linksys also really wins for those Linux admins who don't
> take security seriously, and that's unfortunately more people that we
> want to admit to.  It's more work to admin a Linux system that it is to
> admin a Linksys system.
> 
> -- 
> Ed Wilts, Mounds View, MN, USA
> mailto:ewilts@xxxxxxxxxx
> Member #1, Red Hat Community Ambassador Program
-- 
Scot L. Harris <webid@xxxxxxxxxx>


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list

[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux