[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re[3]: [cobalt-users] wish to Cobalt: suppressing"sensitive"information

Subject: RE: Re[3]: [cobalt-users] wish to Cobalt: suppressing"sensitive"information
From: "Jerome Tytgat" <j.tytgat@xxxxxxxx>
Date: Fri Sep 22 02:57:20 2000

>
> It is also really easy just to update the packages.  I guess I am saying
> that keeping up to date on security is not as simple as being in
> 'shy' mode.
> You have to update software--and if you think that not announcing version
> numbers, etc., is a good way of making a hacker's life more
> difficult, then
> you'd be wrong.

We juste need the package UP TO DATE, we can't simply recompile a Kernel
of install .RPM when they exist on a cobalt... Because of the warranty.


> No, it doesn't depend.  I am saying if you are on a shared server, and you
> have files that are publicly accessible then of course they'll be readable
> by other users.  Its not a problem--its how file permissions work.
>
> That's one reason why we a) use different passwords for the db
> read, stored
> in a non publicly visible folder and b) don't let anyone onto our servers,
> period.
>
> If you want to have files that are not accessible to other people, you
> pretty much need to get your own server.
>
> There aren't too many sys admins that are going to want to come up with
> method for access control on machines.

I agree with you, but some admins have not a complete power on what are
sold... Sometimes salers sold bad thing, we all know that but we
need to handle it. Of course it's our fault if something happens but simply
have the possibility of protecting correctly the users directories (if you
can't access the directory, you can't access the files, it's why I'm talking
of
directories)

>
> No, having a firewall isn't necessary.  There are many issues
> involved with
> running a firewall in front of a web server.
>
> So running a firewall is not the only, or even the most desirable
> method for
> filtering packets.  We use IPChains as a tcp wrapper.  This software is
> commonly used in firewalls.  It is quite simply a firewall to the kernel.
>
> a) latency
> Adding an additional box that filters stuff will add latency to your
> network.

Huh ???? we have a firewall... maybe we are loosing 1 or 2 ms....
Most of the recent firewall can handle two or three network without
loosing any latency... three FE card do the job easyly and I'm sure your
Internet connection is not more than 10 Mbits... In fact we have 4 quad
FE... all used. And it's a low cost firewall.

> b) single point of failure (we can stay running if one web server catches
> fire)
> If your firewall is down you're out of business.  Unless you want
> to have a
> firewall to each machine.  Which is what we essentially have
> using IPChains.

Good thing and bad thing, you have to administer each web server (how
many web server have you ???? we have more than 200... ). IPchains can help,
sure but you can't be on each server looking at it. If you centralize all
the activity, you control all the activity, which is the most important for
us.

And IPchains is not stateful inspection... I'm not saying IPchains is not
good, it
do the job. But it's not as efficient as a Cisco PIX or a Checkpoint
Firewall-1...

It's why the next generation of firewall on Linux is Netfilter. Use
Netfilter or IPfilter
for your box, really better than IPChains.


> c) can't easily be adapted by intrusion detection systems
> We're able to detect attacks and immediately modify the firewall rules
> based on this--something that may be difficult if you had an external
> firewall

No problem for that point, we have several sniffer and an analyser. On each
point we want to listen to. It's working good. I won't build a detection
system
and a protection system on each server... Unmanageable !

> d) misc. 'problems' (confirmation issues, vendor software updates, rack
> space, etc., etc. etc.)
> Most firewalls take a 2U, some take 1U, some more than 2U.  That is more
> space than your server.  Kind negates the effectiveness of a low form
> factor.

One firewall for 2 U, it's worth the cost, Cisco Pix takes 1 U.
The problems you r describing (confirmation issues, vendor software updates,
etc etc etc) are common to all software and hardware. Most of Security
software
manufacturers are aware of security issues and try to correct them in the
shortest
time.

BUT, they are expensive, IPchains is free. On a linux box you control, you
can
add the security patch, improvment (such as bastille linux, medusa, kernel
patch,
add snort or shadow for the IDS, etc etc).

You can build a mostly secure box with a linux, of course it doesn't have
all the
security enhancement that a PIX or a FW1 have, but it's free, it do the job
and
it do it good.

On your cobalt box, you don't have a secure box which can be used without a
firewall...

You can't add simply the patch...

Yes cobalt is not made for that, that's why we have a firewall, I don't
thing I'll
put a cobalt box directly on the Net.

- JT

References:
- Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information
  - From: Kris Dahl

Prev by Date: Re: [cobalt-users] LAN Problems
Next by Date: RE: [cobalt-users] Cube 2 - IP Filter/Firewall
Previous by thread: Re: Re[3]: [cobalt-users] wish to Cobalt: suppressing "sensitive"information
Next by thread: Re: [cobalt-users] wish to Cobalt: suppressing "sensitive" information

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index