Firewall security: Problems with simple Samba file share 3576
Peter T. Breuer
So you want him to have two firewalls, in series? It's harder if it's a hardware...
No. I'm saying he's put all of his protection on one device. That's something that might have its own weakness: it's hardly unheard of for a firewall device to be compromised. If so, that's a foot in the door, and I'd rather have that simply be the first lock encountered, not the only.
First, you and I do not know that the "other machines" are not, in fact, Windows. It's quite common, you know: here in my office I have several Linux boxes, a Mac, and a Windows XP machine, plus a few test boxes that might be running almost anything at any given moment.
Yes, though firewalls keep track of packets that belong to conversations that originated from within and treat those differently. That can be fooled, of course, but that isn't as easy as having an open invitatation to walk in the door, is it?
Peter T. Breuer I don't care what HE does. But two firewalls is indeed what I do. Firewalls...
True. But software does have problems now and then, both in design and in configuration. I may (and do) wish to allow various services within my network. Each is configured that way as you suggest. But why should I trust to only that? I don't: even though the service specifically isn't listening for outside connections, and even though its configuration may tell it to reject any that somehow arrive, I think it only makes sense to also have iptables block it, and to do the same at my hardware firewall.
John Hasler Yes, I'm referring to what we've been calling hardware firewalls, which of course really are just dedicated purpose computers and might even be running Linux themselves in some cases.. but...
Actually some types of firewalls do full packet inspection and can block trojans and other unpleasantries.
I don't agree. A software firewall is also of value on an internal machine with only one network connection. Agreed, you absolutely should turn off services also. But services can be accidentally (or otherwise) turned on or misconfigured due to ignorance or design flaw. Many, many times I have seen people allow more access than they intended - especially with web servers.
Windows machines are an unfortunate necessity in many networks, both business and home. That's just reality. I'd prefer a different world, but I have to deal with what is, not with what I'd like.
-- Tony Lawrence
Firewall security: Problems with simple Samba file share 3577
Linux groups from Newsgroups
Firewall security: Problems with simple Samba file share 3575