Ray Olszewski wrote: > > This would probably be a good topic to explore further, either here or on > the -devel list, and that is why I am bothering to reply at all. It is (or > may be) a concrete, and potentially widespread, instance of a general > problem with firewalling ... what is the difference between a tunnel and a > hole? If users can run software that punches hard-to-find holes in firewalls > (and we know they can, as a general matter), what's a sysadmin to do?
Yup, an interesting topic! My personal ten cents is that too many sysadmins are not doing a good network analysis to start with... what needs to be protected, why? What has to talk to the outside and why? A combination of firewalls, proxy servers, ipsec, internal virtual networks and tunnels, stateful packet inspection, etc., while not guaranteeing anything, does make it possible to make a graded effort in protecting within a view of specific guideline criteria. Anyone in this line of work for a living knows that all the software running inside your network by your ever-faithful users/clients is the stuff that really gives you the fits and makes for nightmares at night. Keeping stuff inside is at least just as important as keeping stuff outside too. The comment above on internal clients running tunneling software..... you will have to go to stateful inspection in addition enforcing bottlenecks via proxies or other methods to restrict, in order to control or limit them... ie firewall rules, etc., have to be just as tight on what goes out (protocol & IP)as what comes in. Like my bumper sticker says, "Linux, it's not just for breakfast anymore!", that breakfast bowl that used to hold all of it has sort of been outgrown a little bit as both linux, and internet/networking technologies have just exploded in size. Firewalling and security isn't very simple anymore either. Requires a continual learning curve for the administrator. Watching the list, there's a number of people that want multiple apps running on the firewall.... I've never done that in the business world as I'm one of the ones that falls on the side that a firewall is a firewall. If you need somthing else, fire off another server. One size doesn't fit all, and goes back to my original and main point here -- You have to do a strenuous network analysis to determine what your security posture requirements are, and then build it. Keep it modular, and layered. It makes it much easier than rebuilding an entire network when it comes time to change your security model. Just some comments learned through several years in the commercial world, maybe it will help someone, maybe it won't. <grin> At any rate, to Charles and the others who build and maintain leaf variants, your efforts are truly appreciated. Sam _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
