Re: Shuttle & via epia... now firewalls

[Andy Laurence <andy@xxxxxxx>]

> > > I would need to open port 80, as am running andromeda.
> > > The alternative would involve opening port 80 on some other
machine
> > > inside the network.
> >
> > Well, that's one hole.....
>
> Like I said, I'd need to open up port 80 on some machine on the
network
> anyway.
> As long as I ensure the web server software has the latest
greatest
> security patches applied to it, then I'm probably okay for most
casual
> attacks - unless someone really really really want to get to my data
on
> the internal lan.

If you know what you're doing, it'll be quite secure.  Not matter how
well 
you set it up, it will be less secure because of that service.

> > I'd agree with you entirely, but the chances of your machine
being
> > compromised, and the hacker being able to use it for whatever
> > (s)he likes
> > are higher if you've added more services to the distro.
> > That's the only
> > point I'm trying to make.
>
> Just as they are higher by only running one machine as your
firewall
> instead of the 2 or 3 you _should_ be using - and preferably with
> different OS'es too so that a vunerability in one will hopefully
be
> caught by one of the other machines in the setup (I really must
lookup
> that book to refresh my memory on the function of each PC in the
> firewall).

ITYF it was something along the lines of....

Internet > firewall > web server > firewall > back end server
> firewall > 
LAN

> > Ah, but you won't get into trouble if someone uses your well
> > locked up gun
> > to shoot someone.  However, if you left a licensed gun on
the kitchen
> > table, and someone was shot with it, you may be in trouble.
>
> What if it is in a cupboard? :)

Grey area ;-)

> That's what we're talking about here:
> the well locked up gun = 'proper' corporate level lan protection
> the gun on the table = no security whatsoever
> the cupboard is the firewall that is also a media server - better
than
> the table, not as good as the secure gun cabinet, but good enough
for
> many purposes (how many ppl know you have a gun?  and
bullets?)

Agreed.

> > Before someone tells me to get off my high horse, I'd like to
> > point out
> > that I am in the process of modifying a firewall distro.
> > Security is not
> > the main aim of the distribution, rather a solution which
> > does not yet exist.
>
> Can't see anyone saying that.

I know, but I feel such a hypocrite :-/

> A totally secure lan at no cost is the ideal
> That will not happen.  No system is totally secure and security
costs
> money.
>
> I am arguing that it is not always necessary to go for the top
security
> system.
> You are arguing that more security is required to prevent joe
hacker
> using your machine to attack a government system (Wargames
anyone?),
> resulting in a lawyer suing your ass!
> I don't see any horses high or low :)

Sorry, I'm not explaining myself too well.  I was just pointing out
that 
your mewas less secure.  Nothing else.  I was referring to the
other post 
that a top lawyer could say that your compromise of the distro was 
irresponsible.  IANAL, and I really don't care that much.  I'll
be 
modifying my distro to suit, and if it's a good solution for you, then go
for it, as long as you understand the risks.  A firewall of any 
description is better than none at all.

> > Andy (running a Microsoft firewall at home :-/ )
>
> And you think I'm not secure :-)  At least my hardware router is
the
> external 'face' of the lan

That's why I feel hypocritical.

Andy
-- 
Building a community network for Bristol
http://consume.andylaurence.co.uk
- updated 03/07
4x4 in town - bog brush for your teeth
NB: Alternate E-Mail - andylaurence at yahoo dot co dot uk


For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx 
Subscribe:  ukha_d-subscribe@xxxxxxx 
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx 
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.