Firewall Wizards mailing list archives
Re: Firewall administration
From: Rik Farrow <rik () spirit com>
Date: Mon, 6 Oct 1997 08:20:12 -0700 (MST)
Appararently, David Collier-Brown <davecb () Canada Sun COM> wrote:
Service Ports Opened Risk ---+----------------------------+------------------- X | Email | smtp, 225/tcp | Spam[1][2][3] X | News | nntp, 119/tcp | Spam[2][3] ... X | NFS v2 | sunrpc, 111/udp | Spoofing[4][5] | | portmapper | | | mountd | | nfsd | eavesdroping[9] With a bit of carefull collection of dependancies, one can easily show the user that he just added spam-forwarding (footnote [1]) when he turned on mail, by changing the words ``Spam[1]'' to red....
I have a couple of problems with this. For example, one vendor supports almost 200 services--your form has gotten very unwieldy. More importantly, you have left too much out. The number of email exploits just using sendmail is too long to list. Spam, while interesting, does not permit someone to break-into a system. And services like NFS, which has an authentication mechanism so weak as to be almost useless (similar to CIFS) does not belong in this list. Having a warning would be akin to having a sticker on the dashboard which reads: "Warning: due to the bad design of the doorlocking mechanism, passengers may fall out when turning corners." Get rid of the bad design. Finally, what about the exploits yet to be created? Minimalism is critical in firewall configuration. Making it easy to do the wrong thing, enable a service just because it's in the menu or form, weakens your security. Yes, I know that the firewall configuration should come from a security policy, but that is not what always happens. Rik
Current thread:
- Re: Firewall administration Rik Farrow (Oct 06)
- Re: Firewall administration David Collier-Brown (Oct 06)
- Re: Firewall administration Bennett Todd (Oct 07)
- Sidebar re idiots (was Firewall administration) David Collier-Brown (Oct 07)
- Re: Firewall administration Bennett Todd (Oct 07)
- <Possible follow-ups>
- Re: Firewall administration Anton J Aylward (Oct 07)
- Re: Firewall administration Anton J Aylward (Oct 07)
- RE: Firewall Administration Steve Kruse (Oct 12)
- Re: Firewall Administration P.Y BONNETAIN (Oct 12)
- Re: Firewall Administration Larry J. Hughes Jr. (Oct 13)
- Re: Firewall Administration Rudolf Schreiner (Oct 14)
- Re: Firewall Administration Bennett Todd (Oct 15)
- Re: Firewall Administration P.Y BONNETAIN (Oct 12)
- Re: Firewall administration David Collier-Brown (Oct 06)