RE: Shuttle & via epia... now firewalls

["BUTLER, Tony, FM" <tony.butler@xxxxxxx>]

> Always wanting to have the last word... :)

Well you're not getting it - I am  :]

> >See Mark Harrison's post on what a firewall *should* look like. > >_that_ is doing the job properly. Your =A315 pc is not.
>
> Oh contraire, my =A315 Linux based IPCop does a sparkling job...

If it were that wonderful and faultless, there'd be no need for the multi machine firewalls now would there?
I wonder how many large corporations out there have a $15 firewall
protecting their extremely sensitive data? :)

> >Um...I was simplifying it.  That's why there's no need to > mention logging
> etc.
>
> Yes, but the use of Intrusion Detection Systems is quite important...<= BR>
um...I was SIMPLIFYING it.  That means kepping it SIMPLE.

> >My hardware firewall/router opening port 80 only to a
> specific machine is
> >not the same as going 'look - here's my admin password, and
> BTW all my NT
> >shares are open to world too'.
>
> No, but one buffer overflow exploit in the software running
> on port80 and
> and it may as well be.

You can if and but about anything you like - anything is possible with the<= BR> right combination of events.
IF there is a bug in Ipcop then someone could get your admin password too.<= BR> Do you KNOW that there is NO possibility of a buffer overflow in IPCop?
Are you SURE it's faultless software?

Oh and BTW, if you're _that_ serious about security, you wouldn't have
revealed that you are running IPCop.
Any hacker on this list now has a good starting point to break into your network. I haven't told you which solution I'm using :-)

> >Oh so you _are_ going to go for a full on 3+ machine
> firewall, utilising
> >different OS'es and firewall software at each stage?
> >After all, if _you're_ going to bother, then _you_ do the
> job properly.
>
> Nope, hiding three machines behind three firewalls would be a bit OTT<= BR> > wouldn't it?

You keep saying "if you're going to build a firewall, do it properly&q= uot;
Now you're saying that it's a bit OTT to do it properly.
At least be consistent in what you are saying.
If you consider it OTT to use a 3 machine firewall, isn't it feasible that<= BR> others think it OTT to have a separate firewall at all?

> But if you're going to the trouble of building _a_ firewall then
> don't compromise it by adding other software/jobs to it, which defeats=
> the object of the exercise.

If you're going to the trouble of building a firewall then don't compromise=
it by using a freebie piece of open source software on a $15 PC.
Since anyone can get hold of the source, then anyone can read through it an= d
look for the best way round it.

No so smart now eh? :->

> >Not everyone connects their machines to the net with no
> security in place
>
> Err, actually most ppl do, fortunately most only connect for
> short periods
> of time.

Read what I said: "Not everyone" is not the same as "nobody&= quot;.
I'm not disputing that most ppl do (even if it is a sweeping statement) I a= m
merely saying that "not everyone" does.

> >Not everyone wants or needs that the level of protection
> afforded by a
> 'proper' firewall.
>
> Mostly because they don't know any better?

No, because they don't need it or don't want it or can't afford a proper 3<= BR> machine firewall.

> >Anything less than 'proper' should not be dismissed as
> totally insecure,
> which is implied in your email.
>
> Sorry, that wasn't what I meant. My point was that if you're
> going to do it,
> you may as well do it properly.

Which is what you are NOT doing.
You have a different solution to mine, not a 'proper' solution.

> >Also, have you considered that by going for a 'proper'
> firewall (what you
> >consider 'proper' (a $15 pc - not a multi machine firewall))
> you may infact
> >increase the likelihood of being attacked?
>
> The firewall is the software, it was written my a bunch of
> ppl who know what
> they are doing, far more than most. It's then been
> scrutinised by others to make sure its OK.

And presumably scrutinised by others to find the best ways to attack it.
> The platform it runs on is incidental.

Then why, in a multi machine firewall setup, is it recommended that you use=
different platforms on at least 2 of the machines?
The reason: To avoid a bug on one platform (and DON'T tell me there are no<= BR> bugs in *nux) allowing a hacker into the system as tne next machine in the<= BR> chain is less likely to suffer from the same problem and thus the attack is=
still blocked.

> And surely saying that is like saying you're more likely to
> get burgled because you have an alarm?

I didn't say broken into - I said attacked.

If you are a burglar, do you:
- Go for the unalarmed house?
- Go for the house a cheap alarm?
- Go for the house with the mid range alarm?
- Go for the top security house with the guard dogs and security cameras?
Depends on the burglar:
- The local yobs out for a laff will go for the house with no alarm
- The semi-pro will go for one of the other two.  But which one. = The cheap
alarm ppl or the others?  hmmm....
If you've spent more money on the alarm, perhaps you have more valuables to=
hide.  Bingo - go for that one.
- The pro will go for the top security house because that's where the
diamonds are.

ditto, perhaps, in cyberspace.

> The fact's suggest otherwise.

You haven't stated any facts so I can't comment on them.

> (Crawls back behind his firewall).

You mean
(Crawls back behind his firewall which 600-odd ppl on the list now know wha= t
it is).


Tony
(Sitting behind his firewall which _nobody_ knows about) :-]]


********************************************************************
      Visit our Internet site at http://www.rbsmarkets.com

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
The Royal Bank of Scotland is registered in Scotland No 90312
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB
Regulated by the Financial Services Authority
********************************************************************

Yahoo! Groups Spons= or

ADVERTISEMENT

For more information: http://www=
.automatedhome.co.uk 
Post message: ukha_d@xxxxxxx 
Subscribe:  ukha_d-subscribe@xxxxxxx 
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx 
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.