Date: Tue, 25 Mar 2003 13:46:14 -0600 From: D J Hawkey Jr <hawkeyd@visi.com> To: nigel.houghton@sourcefire.com Cc: GiZmen <gizmen@pals.one.pl>, "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG> Subject: Re: your mail Message-ID: <20030325134614.A14445@sheol.localdomain> In-Reply-To: <Pine.LNX.4.53.0303251405250.388@enterprise.sfeng.sourcefire.com>; from nigel@sourcefire.com on Tue, Mar 25, 2003 at 02:18:24PM -0500 References: <20030325190131.GA3776@blurp.one.pl> <Pine.LNX.4.53.0303251405250.388@enterprise.sfeng.sourcefire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mar 25, at 02:18 PM, Nigel Houghton <nigel.houghton@sourcefire.com> wrote:
>
> You might want to enable ipfw (or some firewall of your choice) and employ
> the judicious use of rules. Use Snort to monitor the network. The thing
> is, it really all depends on your setup, do you use a single host or do
> you have a small home network, do you serve up web sites or run a mail
> server, do you require remote access to your hosts or local only? All
> these things (and many others) have an impact on what you should be
> looking at to secure your environment.
"Might want to enable [a firewall]..." ?! IMHO, you _must_ employ a
firewall! The 'net is not the friendly, trusted, and scholastic environment
it once was. Even Microsquish(tm) put one in XP Home Edition; if _they_
think it must be done, well... ;-,
I filter outgoing packets too, and I know others that do as well, but
maybe we're just over-zealous.
You might want to look at Tripwire. It's not necessarily "light-weight",
but it's good.
Mail filters are a must now, if you ask me. Spam accounts for the
majority of incoming mail anymore in an unfiltered environment.
Don't use NFS or Samba on a public interface. That just begs for trouble.
Ditto FTP and telnet. Use SSH, and keep the allowable hosts lists
short and trustable.
> My advice would be to think about what you want to achieve, write down
> everything you want to do and explore solutions. Google is your friend.
Yes, planning is everything. "Measure twice, and cut once.". Think
about a DMZ if you're going to advertise public web, mail, etc., servers.
These opinions are not of my employers', as I currently don't have one.
Dave
--
______________________ ______________________
\__________________ \ D. J. HAWKEY JR. / __________________/
\________________/\ hawkeyd@visi.com /\________________/
http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030325134614.A14445>