Focus on Linux
Re: Linux Hardening Oct 21 2007 11:32AM
Liran Cohen (theog rct co il) (2 replies)
Re: Linux Hardening Oct 23 2007 01:40AM
Greg Metcalfe (metcalfegreg qwest net)
Re: Linux Hardening Oct 22 2007 06:13PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2007-10-21 Liran Cohen wrote:
> Ajai Khattri wrote:
>> On Wed, 17 Oct 2007, Liran Cohen wrote:
>>> what is the machine's location on your network (LAN\DMZ etc...) what
>>> is the machine role, you should ask yourself some questions before
>>> approaching hardening, I would not put the same effort on a machine
>>> which is located on my LAN as much as I would make sure that DMZ
>>> machines are protected
>> I believe even machines on internal networks should all run local
>> firewalls at the very least. There's always some Windoze user using
>> Outlook and clicking on an email attachment they shouldn't click
>> on...

And then what? The services you need to be accessible in your LAN will
still be accessible (and thus exploitable) even if you run local packet
filters, because you need them to be accessible.

If any of your computers become infected because of someone clicking on
an attachment, your security concept has already failed several times,
and you should ask yourself some serious questions, including (but not
limited to):

- Why didn't the spam/malware filter on your mailserver catch the
- Why didn't the local virus scanner catch the attachment?
- If the attachment is an executable: why did your Software Restriction
Policies (and temp directory settings) allow it to be executed?
- Why was an unneeded service running on the remote host?
- If it was started by a user: why did your Software Restriction
Policies allow that?
- If the exploit was not a 0day: why was the system not up-to-date?

On top of that: running a packet filter always means running additional
code that may contain additional (remotely exploitable) bugs. There
already has been a case (W32/Witty.worm) where systems became vulnerable
*because* they were running a local firewall.

> I completely agree providing you have the time and dont have a couple
> of dozens of Linux machines to maintain daily, in many cases you have
> to make a sensible choice what would be worth more or in other words
> asses where the risk is higher and invest most of your efforts there.

Reasonable risk assessments will most likely lead to the conclusion that
host-based packet filters in the LAN are not worth the effort.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus