Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Mar 2001 16:48:08 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Mike Meyer" <mwm@mired.org>
Cc:        <questions@FreeBSD.ORG>
Subject:   RE: FreeBSD Firewall vs. Black Ice
Message-ID:  <005401c0a50d$f25b4700$1401a8c0@tedm.placo.com>
In-Reply-To: <15010.26348.659989.455852@guru.mired.org>

next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer
>
>This is why you run two firewalls.  One does little more than your
>basic $100 Linksys box, and sits between your internal network and the
>rest of the world. Your service boxes sit outside of it, in the
>dmz. The second firewall sits between those and the internet
>proper. No connections go from the outside world to the internal
>network (and very little from the dmz to the internal network). You

Not always possible.

>then set the world up so that the service boxes are *generated* from
>data on the internal box. Not backed up, but built. When one of the
>goats gets compromised, you close the hole in the build data, install
>a new OS and rebuilt from the internal data.
>

Setting up a DMZ and dual firewalls is a component of effective
security if your going to be offering services, but you can't get
away from the complexity.  A DMZ/dual firewall situation is not
simple, which is my point - you can't have a simple/easy firewall
without giving something up.  If you don't want to pay for it,
either in terms of investing your time to do it right, or
investing your money to have someone do it for you, then a dual
firewall situation isn't going to help that.

>> >Personally I'ld rather err on the safe side, but MicroSoft has shown
>> >by its continued existence that the world thinks otherwise. IOW MS
>> >grocks the world, sad as it may be.
>> Remember that Microsoft products are designed for internal corporate use,
>> not external Internet server production use.  Internal corporate networks
>> are generally more friendly than the public Internet.
>
>That isn't sufficient explanation for their continuing to ship LookOut
>with the virus-enabling - uh, script-enabling - tools turned on by
>default. Unless you disallow external mail, you get as much exposure
>to mail problems inside as you do outside.
>

Remember Microsoft's world view of e-mail.  In their frame of reference, if
you want to build an Enterprise mail system, you DON'T run
Outlook Express, and on your regular Outlook clients, you run
Exchange Connector going to an Exchange server.  Microsoft doesen't
themselves produce virus-filtering software, and as such one of their
standing recommendations when putting in an Exchange server is to load
anti-virus on the Exchange server if your going to do Internet mail.

From their view, people running Outlook or Outlook Express with the Internet
Mail connector are doing it entirely at their own risk,
and are NOT running an Enterprise mail system.  A mail system like what we
install - where a BSD mailserver is used with Outlook Express clients, is
something that they are either actively against, or at the least, doing
nothing to help come about.

It's a simple matter to patch Sendmail to filter .vbs and .scr attachment
files, at the ISP I work at we have been doing this for a year and a half,
and it's effectively protected our customers from all of the script viruses
that have made the rounds.

When designing a firewall I frankly don't consider virus protection to be a
valid part of it.  Why?  Because some of the most damaging viruses aren't
introduced via the network, but through infected floppies that originate
from home or elsewhere.  Any organization that's serious about virus
protection should be running anti-virus right on the desktops, and if they
are running the current Norton products on Win98/ME/2K, those virus products
can be installed to filter incoming and outgoing Internet mail.

Anyway, I agree with you that script processing shouldn't be shipped enabled
from the factory, but that's because I want to use BSD mailservers with free
Microsoft e-mail clients.  I do recognize,
however, that since enabling script processing on the Microsoft mail clients
isn't a problem if using Microsoft mailserver products, that Microsoft has a
perfectly valid point of view as to why there's not a problem with shipping
mail clients with script processing enabled.
I'm also recognizing that when I set up a mailsystem with Microsoft mail
clients and a BSD server, that Microsoft isn't being compensated for their
effort spent developing the mail client software.  So, if I'm going to take
advantage of the free Microsoft mail clients without compensating them, I
had better not complain about their deficiencies.


Ted Mittelstaedt                      tedm@toybox.placo.com
Author of:          The FreeBSD Corporate Networker's Guide
Book website:         http://www.freebsd-corp-net-guide.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005401c0a50d$f25b4700$1401a8c0>