Jeyes, David (371) on Thu, 30 Jan 2003 12:30:34 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] firewall risk

Title: RE: [PLUG] firewall risk

> From: Jeff Abrahamson wrote:
>
> But isn't a port effectively not open if no one listens on it? So it
> doesn't matter than my mail server (inside my firewall) is listening
> for pop3, because the firewall only listens for ssh.
>
Hi Jeff! Congrats btw- more OL.

IANASG (I am not a security guy)

The trick there is that if your mail server is receiving pop3, than you're firewall _must_ be forwarding traffic on that port. Which means that if your mail package is not patched, then you're leaving your server vulnerable.

LeRoy's point was that your firewall should not accept traffic on any port from the inside. If you have ip masq and your firewalls unnecessary ports aren't blocked, you could be more vulnerable to a half-open attack (Where the attacker sends an ACK packet to fool your firewall into thinking it is an established connection on XYZ port). This is where stateful is much better.

> I could be slicker and refuse other connections, but does it matter
> beyond possible DoS?

If your firewall is stateful it can get rid of the bad traffic before it gets to your server  (i.e. another layer of security). Also, if you run windows clients, this obviously becomes much more important.

But you're 100% right when it comes down to it, if you run a tight *nix network then you shouldn't _need_ a firewall. Interestingly enough one of the IRC admins for 2600 told me that he doesn't use firewalls at home (no win clients)- and he's not a lightweight, he is also an Infosec mgr for a very reputable company. But, you have to run a really tight network. His words of wisdom were to use a harware firewall, FWIW, since otherwise it's just another dern box to patch!!

dj
>
> --
>  Jeff
>
>  Jeff Abrahamson  <http://www.purple.com/jeff/>
>  GPG fingerprint: 1A1A BA95 D082 A558 A276  63C6 16BF 8C4C 0D1D AE4B
>