Why you need a firewall
Derek Atkins
warlord at MIT.EDU
Thu Oct 24 13:42:32 EDT 2002
Chris Tresco <rardoe at rarcom.com> writes:
> You could argue the same for a Windows box... if maintained correctly ,
> it doesn't need a firewall. But alas...
No, there is just no way to secure SMB on a windows box, and frankly
there is no way to know what apps are "autorun" on a windows box.
I've heard of applications that install _AND RUN_ IIS for you,
automatically! Which means you may not even know you're running it.
That would/could never happen on Linux. There are secure file
systems, secure network authentication systems, and service lockdown
methodologies for Linux (and BSD, and Solaris, and...) which results
in a MUCH more stable and secure operating environment.
In general, firewalls only get in the way and reduce productivity.
There are a _few_ cases where a minimal packet filter is useful.
-derek
> On Thu, 2002-10-24 at 12:29, Derek Atkins wrote:
> > Yes, but the vast majority of those probes are against Windows..
> > Yes, you need a firewall to protect the Internet from Windows (no,
> > I do not look at it the other way around! ;)
> >
> > However, I still maintain that a properly-maintained Linux box does
> > not need a firewall.
> >
> > -derek
> >
> > Chris Tresco <rardoe at rarcom.com> writes:
> >
> > > Something to add...
> > >
> > > A lot of users out there would be absoltely flabberghasted (sp?) at the
> > > number of times per day my linux box acting as a router/firewall for my
> > > ATT Broadband cable connection is probed or attacked. I run snort to
> > > log these things... I honestly get at least 100 attack attempts and
> > > probes per day.... it only takes one of these to work successfully for
> > > someone to be compromised.
> > >
> > >
> > >
> > > On Thu, 2002-10-24 at 11:48, David Kramer wrote:
> > > > I'm sure most of you heard that on Tuesday, the internet's root DNS servers
> > > > were crippled by a Denial Of Service (DOS) attack, where the machines were
> > > > flooded with endless garbage IP packets so the real DNS requests couldn't get
> > > > through.
> > > >
> > > > What I recently learned, though, is this was really a Distributed Denial Of
> > > > Service (DDOS) attack. That means that hackers hacked into hundreds of other
> > > > peoples' home computers and then remotely commanded them all to attach the
> > > > root DNS servers at the same time, probably without the owners' knowledge.
> > > >
> > > > What I'm trying to point out here is that it's easy to say "well, I don't have
> > > > any important data on my machine hooked up to a cablemodem or DSL line, so I
> > > > don't need a firewall", but that doesn't mean your machine can't be used by
> > > > hackers to hurt others.
> > > >
> > > > -------------------------------------------------------------------
> > > > DDDD David Kramer http://thekramers.net
> > > > DK KD
> > > > DKK D "Where's the kaboom? There was supposed to be an
> > > > DK KD earth-shattering kaboom."
> > > > DDDD - Marvin the Martian
> > > > _______________________________________________
> > > > Discuss mailing list
> > > > Discuss at blu.org
> > > > http://www.blu.org/mailman/listinfo/discuss
> > > >
> > >
> > >
> > > _______________________________________________
> > > Discuss mailing list
> > > Discuss at blu.org
> > > http://www.blu.org/mailman/listinfo/discuss
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord at MIT.EDU PGP key available
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://www.blu.org/mailman/listinfo/discuss
> >
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list