Jeyes, David (371) on Thu, 30 Jan 2003 12:30:34 -0500 |
Title: RE: [PLUG] firewall risk > From: Jeff Abrahamson wrote:
IANASG (I am not a security guy) The trick there is that if your mail server is receiving pop3, than you're firewall _must_ be forwarding traffic on that port. Which means that if your mail package is not patched, then you're leaving your server vulnerable. LeRoy's point was that your firewall should not accept traffic on any port from the inside. If you have ip masq and your firewalls unnecessary ports aren't blocked, you could be more vulnerable to a half-open attack (Where the attacker sends an ACK packet to fool your firewall into thinking it is an established connection on XYZ port). This is where stateful is much better. > I could be slicker and refuse other connections, but does it matter
If your firewall is stateful it can get rid of the bad traffic before it gets to your server (i.e. another layer of security). Also, if you run windows clients, this obviously becomes much more important. But you're 100% right when it comes down to it, if you run a tight *nix network then you shouldn't _need_ a firewall. Interestingly enough one of the IRC admins for 2600 told me that he doesn't use firewalls at home (no win clients)- and he's not a lightweight, he is also an Infosec mgr for a very reputable company. But, you have to run a really tight network. His words of wisdom were to use a harware firewall, FWIW, since otherwise it's just another dern box to patch!! dj
|
|