Security Basics mailing list archives
Re: Question about firewalls.
From: khayes () eastbay com
Date: Thu, 22 May 2003 13:02:13 -0500
I for one have always been a strong proponent of single purpose firewalls for just that reason. Sure you're firewall config may be strong as a 15' stone wall but what about all the other secondary services running? As you said, all it would take is one vulnerability in those services to be exploited and BANGO!... there goes the whole house of cards. Weigh the time and effort you'll spend recovering from a breach into your LAN compared against the few dollars a month you'll spend running another machine. If you're really concerned about the few dollars a month, don't run a monitor on the hardware. Either get a KVM or just remote onto the machine if you need to do any administrative work. You'd be suprised at how much a monitor costs to run 24/7. Ken Hayes Network Administrator Eastbay / Footlocker.com Wausau, WI Offices (715) 261-9573 khayes () eastbay com |---------+----------------------------------> | | | | | | | | | | | | | | | | | "Allan Schon" | | | <allanschon@mckinleymachinery.c| | | om> | | | | | | 05/21/2003 12:43 PM | | | | |---------+---------------------------------->
----------------------------------------------------------------------------------------------------------------------------|
|
|
|
|
|
|
|To: <security-basics () securityfocus com>
|
|cc:
|
|Subject: Question about firewalls.
|
|
|
----------------------------------------------------------------------------------------------------------------------------|
I have a quick question about basic network/firewall setup. I am about to move into a new apartment, and am taking the opportunity to rethink the way I have my private network set up. I currently have a box running Slackware Linux v9.0 running iptables as the main firewall/gateway to my broadband connection. I also have web, mail, ssh, and a couple other servers running on that machine. My desktop computer runs WinXP, and my roommates each run Win98. I have a few extra boxes sitting in a closet collecting dust, and I was thinking about bringing them online. Would I gain any security by dedicating one machine to firewall/NAT functionality and forwarding ports on to another host? The only advantage I can think of is that a root exploit on any of the services I allow through the firewall would essentially give the attacker free reign over my entire network, instead of just the single machine. The primary disadvantage is the one which my wallet will experiance, as keeping another machine running 24/7 will increase the electricity bill somewhat. Do you think that the real gain in security(if any) is worth the added cost? -- Allan --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- Question about firewalls. Allan Schon (May 22)
- <Possible follow-ups>
- Re: Question about firewalls. Chris Berry (May 23)
- RE: Question about firewalls. Daniel R. Miessler (May 26)
- Re: Question about firewalls. khayes (May 23)