Snort mailing list archives
RE: Still Help Needed: i want to make a firewall
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 17 Apr 2003 14:35:26 -0400
At 12:34 PM 4/17/2003 -0500, Paul Schmehl wrote:
This is a *horrible* "solution". How does this improve security?
Actually, this is a good solution in so far that servers on which nobody ever web browses will not be as easily taken advantage of by worms that rely on IE to spread once they infect the server. This isn't a comprehensive security solution, but is a part of one. There is no single change to a system that makes it secure, and this certainly isn't massive improvement and there are ways around it, but it is indeed an small improvement.
It's quite similar to the "by default run no services that aren't needed" principle used by OpenBSD. This way you're forcing people to turn on things as they need them, instead of forcing them to realize on their own what they don't need and turn it off. You're significantly more likely to realize that something you need is disabled than to notice something you don't need that's on.
It is however, no substitute for other aspects of securing a system, really you need a wide variety of techniques applied together, and what they've done here IS one of the basic tenets of a secure system (minimal service and/or minimal privlege depending on how you look at it).
Some key aspects of a well secured system that spring to my mind include:
-minimal necessary service (don't offer services that nobody needs)
-minimal necessary privilege (don't provide users/programs access
to resources they don't need, ie: ACLs, file permissions)
-code audits (to find/fix bugs before hackers do)
-defensive code mechanisms (ie: buffer sanity checks, hardware
based no-exec, etc. to help prevent unknown holes from being exploited)
-integrity checking (useful for forensics and figuring out which
files got changed if an attack occurs, if nothing else.. ie: properly
configured tripwire or aide. And yes, by "proper" I do mean protecting the
database and application from being changed).
Admittedly they've not covered every base.. but hey, every little step they take is _something_ and I'll be more than happy to praise MS for taking steps to improve this area (while at the same time criticizing them for any remaining weaknesses).
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Still Help Needed: i want to make a firewall, (continued)
- RE: Still Help Needed: i want to make a firewall Matt Kettler (Apr 16)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 16)
- RE: Still Help Needed: i want to make a firewall Rich Adamson (Apr 17)
- RE: Still Help Needed: i want to make a firewall Horta, Benny (Apr 16)
- RE: Still Help Needed: i want to make a firewall Mirko Matytschak (Apr 17)
- RE: Still Help Needed: i want to make a firewall Robert Reid (Apr 17)
- RE: Still Help Needed: i want to make a firewall James Bly (Apr 17)
- RE: Still Help Needed: i want to make a firewall Robert Reid (Apr 17)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 17)
- RE: Still Help Needed: i want to make a firewall Paul Schmehl (Apr 17)
- RE: Still Help Needed: i want to make a firewall Matt Kettler (Apr 17)
- RE: Still Help Needed: i want to make a firewall Michael Steele (Apr 17)