combining the two messages.. On Wed, 10 Sep 2003, Michel Py wrote: > >> Brian E Carpenter wrote: > >> There is no defence against misconfigured routers, except > >> for well configured routers elsewhere. > > > Pekka Savola wrote: > > For example, for some services I maintain, I have: > > - TCP wrappers configuration in the host/service itself, > > using /etc/hosts.allow > > - The local host firewall settings, doing similar > > restrictions as above > > - Missing default route on the host, only some selected > > routes used > > - The first hop router/firewall settings > > - A configuration at the site border router > > This is not good enough, because it assumes that all hosts have been > hardened. A good security must prevent data to be sent out even is the > host has a dumb setup and even if the firewall/SBR has been compromised.
Nope, I don't assume that all hosts have been hardened, at all. There are certainly some "site internal perimeter" remainder threats left (hack one box, from there go to another, bypassing the border firewalls), but even if you used local addressing, this situation would not be any different. If you're worried about firewall/SBR being compromised, you add more of them, make the hosts smarter, or disconnect them from the net. But still, I don't know what your definition of "good security" buys anything at all. Even with local addresses, data could be sent out, for example by going through another node in the site, or compromising a router or two so that you're able to spoof your address to be global and thus not getting filtered. > > Five layers of security should be enough, you'd think? > > Even a couple of them might be OK. > > Wrong. I have seen multiple times five to six layers of firewalls just > in the DMZ, plus all the host hardening that you mentioned below. Right, one can always stack these up infinitely, but for a random joe schmoe interested in local connectivity, even two would likely be enough. > To beat you with your own argument: all of these things can be easily > hacked, therefore there are no reasons to use them. Why are your > security precautions this different than localized addresses? Have I made that argument? > It is as > easy to hack the hosts.allow than it is to create a tunnel outside. Incorrect. A properly configured hosts.allow is very secure, especially if you know what it's useful for. > Remember the car lock analogy: your host.allow trick is no better than > the typical car lock: a vaguely clued low-level thief will open it in a > matter of seconds. And still you use it. Incorrect. Have you even used hosts.allow? What makes you think it's easily hackable, instantly abusable by a vaguely clued low-level thief? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
