From owner-freebsd-security Tue Apr 30 17:51:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA27363 for security-outgoing; Tue, 30 Apr 1996 17:51:30 -0700 (PDT) Received: from arnie.systems.sa.gov.au (arnie.systems.sa.gov.au [143.216.242.3]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA27356 for ; Tue, 30 Apr 1996 17:51:23 -0700 (PDT) Received: from state.systems.sa.gov.au by arnie.systems.sa.gov.au (PMDF V4.3-7 #13538) id <01I46RTRATRK007O5T@arnie.systems.sa.gov.au>; Wed, 1 May 1996 10:14:14 +1030 Received: from dogbert.systems.sa.gov.au (dogbert.systems.sa.gov.au) by state.systems.sa.gov.au (PMDF V5.0-4 #13538) id <01I46RTDREI80074CB@state.systems.sa.gov.au>; Wed, 01 May 1996 10:13:54 +0930 Received: from jolt.systems.sa.gov.au (jolt.systems.sa.gov.au [143.216.237.8]) by dogbert.systems.sa.gov.au (8.6.12/8.6.12) with SMTP id KAA14197; Wed, 01 May 1996 10:16:51 +0930 Date: Wed, 01 May 1996 10:10:38 +0930 From: Garth Kidd Subject: Re: FreeBSD & firewalls In-reply-to: newton@communica.com.au (Mark Newton) "Re: FreeBSD & firewalls" (Apr 30, 10:39) To: newton@communica.com.au (Mark Newton), kristyn@gnu.ai.mit.edu (Kristyn Fayette) Cc: freebsd-security@FreeBSD.ORG Message-id: <960501101757.ZM2871@jolt.systems.sa.gov.au> MIME-version: 1.0 X-Mailer: Z-Mail 4.0 (4.0.0 Aug 21 1995) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT References: <9604300109.AA15421@communica.com.au> Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Apr 30, 10:39, Mark Newton wrote: > Point 2: Be aware that a single computer doesn't make a very good > firewall! Simply plonking a UNIX box onto the network between you and > your ISP is not going to deliver anywhere near what *I* would consider > acceptable security (what you would consider acceptable may > legitimately differ, though) > > Just my (professional) opinion... I suspect it's reaching the point where the resources necessary to maintain comprehensive network security are beyond the reach of many sites. Defense in depth with DMZ-style twin router, bastion host and inner peer configurations with dedicated logging hosts and personnel available 24/365 to handle detected intrusion attempts is _expensive_. [*] Anybody with a permament connection to the Internet should *expect* to have their firewall breached, and should plan accordingly. Particularly, even though you can't expect to prevent all intrusion attempts, you need to know when one is occurring or, worse, has succeeded, you need someone to clean up the damage and try to plug whatever hole was exploited, and you need regular backups that are stored for quite a while in case someone sneaks in and you don't notice it for a month. Mark, I expect I'm preaching to the converted in your case :) Prediction: some major ISPs will begin installing firewalls to protect their customers. The cost of maintaining a comprehensive firewall may well be bearable if spread amongst a few hundred customers. Perhaps firewalling will be an optional extra, suitably priced, so those customers who _insist_ on having "talk" or that don't believe their site will be targeted can be left out in the cold on their demand. Some US-based single-box firewall vendors offer remote monitoring services. Just plug in a modem and leave a connection open to your vendor, and they'll (allegedly) keep an eye on things for you. I'm not convinced, but it's certainly better than the same box with nobody watching. Something I'd like to see, though, is some serious discussion of the one-box problem for those that are home-brewing their firewall boxen. What should they do to ensure that they can at least *detect* a successful intrusion? *: Relying on a single host to protect your network is one extreme [**]. This configuration is, perhaps, the other. **: I lied. Connecting all of your systems to the Internet and hoping that nobody will find your site interesting enough to hack is the extreme. -- garth@dogbert.systems.sa.gov.au | Garth Kidd +61-8-207-7740 (voice) | Network Services Branch +61-8-207-7860 (fax) | EDS | Adelaide, AUSTRALIA