On Sun, Feb 29, 2004 at 12:53:02PM +1300, Yuri de Groot wrote:
> > Here's a simple question with potentially complex answers.
> >
> > I know how to lock down a naked Windows XP machine for
> > suitable internet security, which usually involves
> > antivirus scanners, firewalls and not using IE.
> >
> > So here's the question. What kind of things should I do
> > with a naked Mandrake installation to properly secure it?
> I've read through the other answers to this post, and no-one
> made the most important observation:
It's not the most important. Running a firewall in front of your
desktop machine does not provide any protection against a whole host of
problems, such as application-level flaws.
Think about a worm that takes advantage of a hole in your mail client,
and sends itself to everyone in your addressbook (sound familiar?). If
you're not keeping up to date with patches, the hole is left open.
Unless you're blocking outgoing TCP traffic on port 25 at your firewall
(which is quite unlikely, unless you're running an internal mailserver
which is given explicit access), you're allowing the worm to propogate.
> No Desktop OS should be directly connected to the Internet.
This is misinformed. A properly secured host (up to date with the
latest patches, and running a packet filter as a 'last resort' for an
additional level of protection) is not significantly less secure than a
seperate firewall driven by a point-and-drool GUI interface. In fact,
it's quite common for people with said seperate firewalls to have a
false sense of security.
> Firewalls like IPCop or Smoothwall can run on very modest
> hardware (486, maybe 386).
There are many good reasons to have a seperate box acting as a
firewall/gateway. However, it is certainly not a requirement, and is
not the first and only step you need to take to secure your network. In
addition to that, you have to weigh up the power requirements of an old
machine--those 486s use more power than you think.
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
