Security Basics mailing list archives
Re: Firewall on server itself
From: "Mitchell Rowton" <mitchell () attackprevention com>
Date: Thu, 26 Jun 2003 10:28:40 -0600
I agree that any device that has more stringent access requirements should be placed in an environment that will allow more granular control of the authorization. (=put server in DMZ) However adding iptables would be consistent with industry practices Defense In Depth Enclave Boundary Defense (not just perimeter defense) M&M Security (hard on outside, soft and squishy on inside) Perhaps the iptables could defend against an intruder who is already through the firewall because of many reasons: Insider threat Firewall vender specific vulnerabilities Maybe you could just make device specific rules more restrictive that the firewall that covers ever device. Im sure there are other good reasons but in general any important device should have its own access controls (in my opinion) Mitchell
On 2003-06-25 Anish Basu wrote:I am trying to set up a secure web server which will already be protected by a dedicated harware firewall. The hardware firewall
will
be configured to protect the web server as well other computers on
the
network. The web server will be running Red Hat 9.0. Is there any reason to install and configure firewall software such as IPTables
on
the web server itself?I don't think that would make sense. If an intruder could exploit the web server to gain root privileges, why would he stop from changing
the
iptables rules? If you don't trust your firewall, throw it away and
get
some other. IMO it would make more sense to move the web server into a DMZ
instead.
Are there any advantaqes or disadvantages to having two firewalls
set
up this way?You will have to maintain two rulesets, which will make your firewall more complex and therefore more susceptible to security breaches.
IMHO.
Regards Ansgar Wiechers ----------------------------------------------------------------------
-----
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote
access in
about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------
------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: Firewall on server itself, (continued)
- Re: Firewall on server itself Michael P (Jun 26)
- Re: Firewall on server itself Ansgar Wiechers (Jun 26)
- RE: Firewall on server itself Firegoblin Postmaster (Jun 26)
- Re: Firewall on server itself Mitch Pirtle (Jun 26)
- Re: Firewall on server itself Justin Pryzby (Jun 26)
- RE: Firewall on server itself DeGennaro, Gregory (Jun 26)
- RE: Firewall on server itself Gene LeDuc (Jun 26)
- Re: Firewall on server itself chris (Jun 26)
- RE: Firewall on server itself Depp, Dennis M. (Jun 26)
- Re: Firewall on server itself Ivan Coric (Jun 26)
- Re: Firewall on server itself Mitchell Rowton (Jun 26)
- Re: Firewall on server itself Craig Janssen (Jun 26)