From owner-freebsd-questions@FreeBSD.ORG Fri Apr 18 18:46:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA29710656C5 for ; Fri, 18 Apr 2008 18:46:49 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id 842A98FC15 for ; Fri, 18 Apr 2008 18:46:48 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 8A0DF65510 for ; Fri, 18 Apr 2008 13:46:48 -0500 (CDT) Date: Fri, 18 Apr 2008 13:46:48 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: In-Reply-To: <4808D7F4.8000709@radel.com> References: <2tng04doovnmtkr7or9kfkb596fgjfoj1c@4ax.com> <20080418191449.212f43d3.gary@pattersonsoftware.com> <1EBA9459C137D287EEE2560D@utd65257.utdallas.edu> <4808D7F4.8000709@radel.com> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: [SSHd] Limiting access from authorized IP's X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2008 18:46:49 -0000 --On Friday, April 18, 2008 13:18:44 -0400 Jon Radel wrote: > Paul Schmehl wrote: > >> I see this statement all the time, and I wonder why. What does a >> firewall on an individual host accomplish? >> >> I have maintained publicly available servers for a small hobby domain >> for almost ten years now. Initially, I bought in to this logic and ran >> a firewall. (At that time we only had one server.) What it cost me was >> CPU and memory. What it gained me was nothing. I turned it off. I have >> never run a firewall on a publicly available host since. >> >> Firewalls are for preventing access to running services. By definition, >> if you are running a service, you want it to be accessed. So firewalls >> are self-defeating or completely useless at the host level **unless** >> you don't know what you're doing. For an enterprise they make a great >> deal of sense. No matter what a user inside your network might do, you >> can prevent access by simply not allowing traffic on that port. > > Yes, in a world where nothing ever breaks, all system administrators > never make dumb mistakes, and no one ever breaks into your box to > install services that you certainly wouldn't approve of, the > defense-in-depth techniques being discussed here are pretty much a waste > of time. Alas, alack, my machines prove every couple of years that they > don't live in such a world. Must be me. ;-) > >> If *everyone* knew how to properly configure and maintain a host, even >> enterprise firewalls would be completely unnecessary. > > And if you've got users on your network.... Oh, my, users do the > darnedest things. As one little example: My firewall blocks outbound > traffic to port 25 from all those pesky workstations to anywhere other > than the local SMTP servers. Why? Makes me worry just a bit less about > some Windows box pumping spam out to the world due to an unfortunate > choice made by a user. I doubt there's an enterprise in the world where > every user both knows enough about host security *and* is disciplined > enough to apply that knowledge every minute of every day. > Let me clarify. When I use the term "host", I'm referring to what many would call a "personal workstation" or "personal computer". If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. > But then, I'm the guy who takes the time to put on his seatbelt each and > every time he starts the car, despite never, not once, having to > actually use it in 3 decades of driving. > Well, that was the point I was trying to make. A firewall might be analagous to a big rubber bumper that surrounds your car. *If* you get it, it provides some protection, but you *still* have to be able to use the doors, open the hood and the trunk, carry passengers, etc. So, why do you wear your seatbelt? Because it provides protection *even when* the bumpers fail. We think about security from the outside in when we should be thinking about security from the inside out. The firewall should be the *last* thing you think about *after* you've already taken all the precautions you can to make the firewall completely unnecessary. In today's world, all too often, people think they can not patch, not run antivirus, not do this, not do that, and everything will be fine because the firewall is protecting them. It's foolish and a false sense of security. What we *should* be doing is making sure the door locks function correctly (going back to the car analogy), the seats are properly anchored, the engine is properly maintained, the hood is properly closed, etc., etc. and *then* check to see if the bumper is in place. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/