|

»

»

Debian secure by default?

View: New views

10 Messages — Rating Filter: Alert me

< Prev | 1 - 2 - 3 | Next >

	Re: Debian secure by default? by Ron Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/25/08 14:04, Paul Johnson wrote: > On Saturday 24 May 2008 03:49:53 pm Richard Hector wrote: >> On Sat, 2008-05-24 at 11:47 -0700, Paul Johnson wrote: >>> I see no advantage to host-based firewalls that couldn't be better served >>> by a router doing filtering at the edge of the network. There's no >>> reason to expose machines directly to the internet. >> It's perhaps a little excessive to carry a router with you for >> connecting your laptop to public WiFi, or via a cellphone, for instance. > > Don't run services on laptops connected to public wifi or via a cell phone. It's Unix. You've got to run some services! - -- Ron Johnson, Jr. Jefferson LA USA ESPN makes baseball players better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIObqkS9HxQb37XmcRAo+RAKDuv05mbyJT1ScqUZIpPOXgLfHzCQCdEYgg gfjt3vYAC2VJJpxbhtdkyzM= =seT9 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Ron Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/24/08 17:49, Richard Hector wrote: > On Sat, 2008-05-24 at 11:47 -0700, Paul Johnson wrote: > >> I see no advantage to host-based firewalls that couldn't be better served by a >> router doing filtering at the edge of the network. There's no reason to >> expose machines directly to the internet. > > It's perhaps a little excessive to carry a router with you for > connecting your laptop to public WiFi, or via a cellphone, for instance. > > And many people wouldn't want to bother with a router when they only > have a single desktop computer at home. Use a pico-firewall!!! http://www.yoggie.com/pico-personal Even though it's a little Linux computer, I'm not sure what would happen if you tried it with a Linux laptop. - -- Ron Johnson, Jr. Jefferson LA USA ESPN makes baseball players better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIObvsS9HxQb37XmcRApMjAJwLty22+3J+UVlkI0mo8quCZtgFtwCgoDr8 OaUSI+DpP97NLo/sO2bceJ4= =477i -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Damon L. Chesser :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul Johnson wrote: > On Saturday 24 May 2008 04:19:20 pm Todd A. Jacobs wrote: > >> On Sat, May 24, 2008 at 11:47:05AM -0700, Paul Johnson wrote: >> >>> I see no advantage to host-based firewalls that couldn't be better >>> served by a router doing filtering at the edge of the network. >>> There's no reason to expose machines directly to the internet. >>> >> Internal threats? A compromised host? Lazy sysadmins? Ignorant users? >> How would your perimeter security help there? >> > > You can't solve social problems with technological means effectively. Odds > are, if they're on your internal network and you consider them a security > threat, you have deeper security problems than can't be solved short of door > locks and ensuring nobody outside can get a connection. > > I hate to say this, but the most threats are in fact internal. Employees running amok. You have to defense against that in a a business environment. -- Damon L. Chesser damon@... http://www.linkedin.com/in/dchesser -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Paul Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sunday 25 May 2008 12:13:55 pm Ron Johnson wrote: > On 05/25/08 14:03, Paul Johnson wrote: > > On Saturday 24 May 2008 04:19:20 pm Todd A. Jacobs wrote: > >> On Sat, May 24, 2008 at 11:47:05AM -0700, Paul Johnson wrote: > >>> I see no advantage to host-based firewalls that couldn't be better > >>> served by a router doing filtering at the edge of the network. > >>> There's no reason to expose machines directly to the internet. > >> > >> Internal threats? A compromised host? Lazy sysadmins? Ignorant users? > >> How would your perimeter security help there? > > > > You can't solve social problems with technological means effectively. > > Odds are, if they're on your internal network and you consider them a > > security threat, you have deeper security problems than can't be solved > > short of door locks and ensuring nobody outside can get a connection. > > What Todd is referring to is Defense In Depth, i.e. a layered defense. I understand what he's getting at, but at the point they're as close as Todd is suggesting, perhaps it would be better to ensure no unnecessary services are running in the first place, and that libpam hasn't been toyed with to be unnecessarily insecure. Who cares what ports are open if the attacker can just visit the machine. -- Paul Johnson baloo@... Explaination of .pgp part: http://linuxmafia.com/faq/Mail/rant-gpg.html signature.asc (196 bytes) Download Attachment
	Re: Debian secure by default? by Paul Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sunday 25 May 2008 12:14:44 pm Ron Johnson wrote: > On 05/25/08 14:04, Paul Johnson wrote: > > On Saturday 24 May 2008 03:49:53 pm Richard Hector wrote: > >> On Sat, 2008-05-24 at 11:47 -0700, Paul Johnson wrote: > >>> I see no advantage to host-based firewalls that couldn't be better > >>> served by a router doing filtering at the edge of the network. There's > >>> no reason to expose machines directly to the internet. > >> > >> It's perhaps a little excessive to carry a router with you for > >> connecting your laptop to public WiFi, or via a cellphone, for instance. > > > > Don't run services on laptops connected to public wifi or via a cell > > phone. > > It's Unix. You've got to run some services! But they don't have to listen to an external interface. -- Paul Johnson baloo@... Explaination of .pgp part: http://linuxmafia.com/faq/Mail/rant-gpg.html signature.asc (196 bytes) Download Attachment
	Re: Debian secure by default? by Ron Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/25/08 14:28, Damon L. Chesser wrote: [snip] > Employees running amok. What about when Spock runs amok? How will a firewall help? - -- Ron Johnson, Jr. Jefferson LA USA ESPN makes baseball players better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIOcTjS9HxQb37XmcRAvTdAJ9IXtSOk9LRZs42Gz5L+XxUZfdgoACfQsxX mA2PGZKDdSgw9E+qIbRdckU= =cISa -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Damon L. Chesser :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ron Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/25/08 14:28, Damon L. Chesser wrote: > [snip] > >> Employees running amok. >> > > What about when Spock runs amok? How will a firewall help? > of course, it will not, but that is what proper user permission/sudo config is all about. NOTHING will protect you against THE system admin going over to the dark side. But an internal firewall will stop the "casual" snooper looking for mischief. Of course, we all know, the more secure you make it, the less "user friendly" and usable it is. Lines must be drawn, decisions made, policies/trade offs accepted. As for "debian more secure by default", that is what the sys admin is for. You want firewalls stopping everything, set it up. You want box foo walled off, wall it off. (all this added just so we know what we disagree on). But working for a large business, you do have to take the staff into consideration (as a threat). That geek in sales, might have a grudge to bare. That is ALL I was commenting on. You MIGHT want to erect a firewall internally to protect server foo from him, you might not. > - -- > Ron Johnson, Jr. > Jefferson LA USA > > ESPN makes baseball players better. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIOcTjS9HxQb37XmcRAvTdAJ9IXtSOk9LRZs42Gz5L+XxUZfdgoACfQsxX > mA2PGZKDdSgw9E+qIbRdckU= > =cISa > -----END PGP SIGNATURE----- > > > -- Damon L. Chesser damon@... http://www.linkedin.com/in/dchesser -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Ron Johnson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/25/08 15:45, Damon L. Chesser wrote: > Ron Johnson wrote: > On 05/25/08 14:28, Damon L. Chesser wrote: > [snip] > >>>> Employees running amok. >>>> > > What about when Spock runs amok? How will a firewall help? > > >> of course, it will not, but that is what proper user permission/sudo >> config is all about. NOTHING will protect you against THE system admin >> going over to the dark side. But an internal firewall will stop the It was supposed to be a joke... - -- Ron Johnson, Jr. Jefferson LA USA ESPN makes baseball players better. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIOdHrS9HxQb37XmcRAsGyAJ9H2+mMFcdD9sRzp797OsFXXxeoLwCfbwi+ gA40you1qqTJyRL/G/3zeQg= =J2MV -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Damon L. Chesser :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ron Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/25/08 15:45, Damon L. Chesser wrote: > >> Ron Johnson wrote: >> On 05/25/08 14:28, Damon L. Chesser wrote: >> [snip] >> >> >>>>> Employees running amok. >>>>> >>>>> >> What about when Spock runs amok? How will a firewall help? >> >> >> >>> of course, it will not, but that is what proper user permission/sudo >>> config is all about. NOTHING will protect you against THE system admin >>> going over to the dark side. But an internal firewall will stop the >>> > > It was supposed to be a joke... > > - -- > Ron Johnson, Jr. > Jefferson LA USA > > ESPN makes baseball players better. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFIOdHrS9HxQb37XmcRAsGyAJ9H2+mMFcdD9sRzp797OsFXXxeoLwCfbwi+ > gA40you1qqTJyRL/G/3zeQg= > =J2MV > -----END PGP SIGNATURE----- > > > never the less, valid. :) -- Damon L. Chesser damon@... http://www.linkedin.com/in/dchesser -- To UNSUBSCRIBE, email to debian-user-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: Debian secure by default? by Magnus Therning :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Damon L. Chesser wrote: > Paul Johnson wrote: >> On Saturday 24 May 2008 04:19:20 pm Todd A. Jacobs wrote: >> >>> On Sat, May 24, 2008 at 11:47:05AM -0700, Paul Johnson wrote: >>> >>>> I see no advantage to host-based firewalls that couldn't be better >>>> served by a router doing filtering at the edge of the network. >>>> There's no reason to expose machines directly to the internet. >>>> >>> Internal threats? A compromised host? Lazy sysadmins? Ignorant users? >>> How would your perimeter security help there? >>> >> >> You can't solve social problems with technological means >> effectively. Odds are, if they're on your internal network and you >> consider them a security threat, you have deeper security problems >> than can't be solved short of door locks and ensuring nobody outside >> can get a connection. >> >> > I hate to say this, but the most threats are in fact internal. > Employees running amok. You have to defense against that in a a > business environment. > This is the age-old problem of relying on people that are unreliable. One of the basic solutions to this is explained in agent theory, simply states the goal is to align your business' goals with those of your employees. Easier said than done unfortunately. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus＠therning．org Jabber: magnus．therning＠gmail．com http://therning.org/magnus What if I don't want to obey the laws? Do they throw me in jail with the other bad monads? -- Daveman signature.asc (196 bytes) Download Attachment

< Prev | 1 - 2 - 3 | Next >

LightInTheBox - Buy quality products at wholesale price