security setup without firewall? - Security

This is a discussion on security setup without firewall? - Security ; hi I have been hearing from different sources that a truly good security setup does not require a firewall. Of course that depends on the situation for the system. but if one considers a single home computer, is it plausible ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: security setup without firewall?

  1. security setup without firewall?

    hi

    I have been hearing from different sources that a truly good security
    setup does not require a firewall. Of course that depends on the
    situation for the system. but if one considers a single home computer,
    is it plausible to have basic security without a firewall?

    The reason I am asking is that I am looking for the simplest way to
    centrally control which ports are open and for which adresses. The
    problem is that most firewall systems on linux are pretty complex, e.g.
    shorewall, and that makes it difficult to make it work properly.

    I was initially thinking that setting hosts.deny/allow would cover a lot
    of ground. When I tested it, by setting deny: ALL:ALL, I found that
    SSH was affected but http was not. I also found that nmap finds all the
    ports open. Yhis suggest to me that if I dont use a firewall I have to
    separately configure all the different services to make a basic security
    config.

    So the question is, is there a single file such as allow\deny that can
    be used to control visibility of ports and access in an easy way, or is
    a firewall the only real option for this (which mean that I would have
    to throw out shorewall and just use iptables directly)

    tom

  2. Re: security setup without firewall?

    Tom Forsmo wrote:

    > I have been hearing from different sources that a truly good security
    > setup does not require a firewall. Of course that depends on the
    > situation for the system. but if one considers a single home computer,
    > is it plausible to have basic security without a firewall?


    This philosophy requires that you maintain your system perfectly. That you
    are always on top of your updates and that you make no mistakes that would
    allow hackers into your system. Even on a home system, a firewall will add
    an extra level of protection that makes it more difficult for a single
    mistake to compromise a system.

    For example, a person once advised someone to who wanted only to check
    locally delivered mail on their system to install a POP on the system. If
    the user followed this advise, a service port would be opened that could
    give a possible point of attack for a hacker even if the user never
    actually intended to use POP to access the mail remotely. With a firewall
    installed, the POP port would also need to be opened for a hacker to get
    access to the port.

    BTW, shorewall is not the firewall, it is a method of configuring the
    firewall. If you want a relatively easy front end, try Guarddog.

    http://www.simonzone.com/software/guarddog/

  3. Re: security setup without firewall?

    On 2006-12-09, left_coast wrote:
    >
    > BTW, shorewall is not the firewall, it is a method of configuring the
    > firewall. If you want a relatively easy front end, try Guarddog.
    >
    > http://www.simonzone.com/software/guarddog/


    ......or Arno's iptables firewall script. You edit the config script,
    it configures iptables. It starts with everything closed but stateful
    http and email and you open things as needed. Even a dummy like me
    can figure it out.

    http://rocky.molphys.leidenuniv.nl/

    nb




  4. Re: security setup without firewall?

    Tom Forsmo wrote:

    > hi
    >
    > I have been hearing from different sources that a truly good security
    > setup does not require a firewall. Of course that depends on the
    > situation for the system. but if one considers a single home computer,
    > is it plausible to have basic security without a firewall?
    >
    > The reason I am asking is that I am looking for the simplest way to
    > centrally control which ports are open and for which adresses. The
    > problem is that most firewall systems on linux are pretty complex, e.g.
    > shorewall, and that makes it difficult to make it work properly.
    >
    > I was initially thinking that setting hosts.deny/allow would cover a lot
    > of ground. When I tested it, by setting deny: ALL:ALL, I found that
    > SSH was affected but http was not. I also found that nmap finds all the
    > ports open. Yhis suggest to me that if I dont use a firewall I have to
    > separately configure all the different services to make a basic security
    > config.
    >
    > So the question is, is there a single file such as allow\deny that can
    > be used to control visibility of ports and access in an easy way, or is
    > a firewall the only real option for this (which mean that I would have
    > to throw out shorewall and just use iptables directly)


    Hello tom. You don't have to "throw out" shorewall (i never used it) or
    any other utility, but it is still good to know how to add or modify
    iptables rules (from command line if necessary). Depending on your OS and
    what is available, you probably have several GUI options. When you say
    "centrally control", I understand *remotely control* several systems. And
    that means "remotely". Your host* files are very useful here.

    Firewall is not *strictly* required, if all accessible services are
    properly protected. Point is that you want to block incoming UDP to
    listening services that is not desirable. And block incoming TCP that is
    not a connection you want. Those are most easily assured with firewall.

    Much more knowledge is required to set each service individually to be
    immune to intrusion. As needed, you will need to do that step by step.
    You should do that anyway, firewall or no. And the most general, is that
    if you don't need to expose a service to the world, then don't even have
    it listening or even running.

    Until you know how to find, stop and/or protect those "listening"
    processes, you still need firewall. There is no "one size fits all"
    solution to security. If you run a service accessible by the world, then
    you need to understand and monitor that service if you want security.

    Theoretically, firewall is unnecessary. In practical terms, for the
    effort and value involved, firewall is the cheapest, easiest, most
    effective cover-all security solution. That doesn't preclude using layers
    (many layers) of redundant security. Actually, many layers are best.
    Look for and implement them.

    For controlling open ports and from where they can be accessed, iptables
    (netfilter) is what you want.

    Best wishes.

  5. Re: security setup without firewall?

    In comp.os.linux.security Tom Forsmo :
    > hi


    > I have been hearing from different sources that a truly good security
    > setup does not require a firewall. Of course that depends on the
    > situation for the system. but if one considers a single home computer,
    > is it plausible to have basic security without a firewall?


    Sure, you don't need a firewall at all, if you know what you are
    doing. Since you ask, it is obvious you don't have the requiered
    skills to do so until now.

    > The reason I am asking is that I am looking for the simplest way to
    > centrally control which ports are open and for which adresses. The
    > problem is that most firewall systems on linux are pretty complex, e.g.
    > shorewall, and that makes it difficult to make it work properly.


    No they aren't, it is just you didn't spend the required time to
    dig deeper into it. Using one or another helper app to setup
    iptables will not teach you much if anything.

    There are quite a few great iptables howto (www.tldp.org), which
    explain in detail how packets traverse the Linux built in
    firewall. If you get this basics it isn't that difficult anymore.

    > I was initially thinking that setting hosts.deny/allow would cover a lot
    > of ground. When I tested it, by setting deny: ALL:ALL, I found that
    > SSH was affected but http was not. I also found that nmap finds all the


    Just because your sshd was likely per distro package compiled
    with support for tcp_wrappers. Apache isn't usually, since mostly
    the purpose of some http server is to let people view stuff and
    apache has its own layers of access control which are iirc finer
    graded then the additional access control sshd has built in.
    Apart from the huge security difference from shell access to http
    access.

    > ports open. Yhis suggest to me that if I dont use a firewall I have to
    > separately configure all the different services to make a basic security
    > config.


    > So the question is, is there a single file such as allow\deny that can
    > be used to control visibility of ports and access in an easy way, or is
    > a firewall the only real option for this (which mean that I would have
    > to throw out shorewall and just use iptables directly)


    Dunno why you are scared about the visibility of ports? If you
    don't run anything on them, there is no problem.

    In short security is like an onion, the more layers you have the
    better, if one should fail, usually due to misconfiguration you
    still have more protecting you.

    The easiest especially looking at sshd, is to deny direct root
    logins at first. Probably one reason people get cracked, sshd
    running open to the internet with direct root logins enabled. Any
    attacker doesn't have to guess a user name but can just go on
    trying to login as root with some dictionary attack tool. Now if
    your root password is trivial you have already lost your machine.

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 191: Just type 'mv \* /dev/null'.

  6. Re: security setup without firewall?

    notbob wrote:
    > On 2006-12-09, left_coast wrote:
    >> BTW, shorewall is not the firewall, it is a method of configuring the
    >> firewall. If you want a relatively easy front end, try Guarddog.
    >>
    >> http://www.simonzone.com/software/guarddog/

    >
    > .....or Arno's iptables firewall script. You edit the config script,
    > it configures iptables. It starts with everything closed but stateful
    > http and email and you open things as needed. Even a dummy like me
    > can figure it out.
    >
    > http://rocky.molphys.leidenuniv.nl/


    Thanks, I will have a look at them.

    tom

  7. Re: security setup without firewall?

    responder wrote:

    > Hello tom. You don't have to "throw out" shorewall (i never used it) or
    > any other utility, but it is still good to know how to add or modify
    > iptables rules (from command line if necessary). Depending on your OS and
    > what is available, you probably have several GUI options. When you say
    > "centrally control", I understand *remotely control* several systems. And
    > that means "remotely". Your host* files are very useful here.


    Sorry I may have been a bit unclear by saying central control, what I
    meant was a single file or similar which controls in a simple way which
    ports are open and which are not. Shorewall is very complicated and
    allmost everytime I use it I make mistakes, and spend lots of time
    reading its documentation to try to understand what I did wrong. This
    applies mostly to a bit more advanced setups, such as for vpn and ip
    masqerading. So I am looking for a simple solution. I thought using
    hosts.allow/deny could be that solution, but apparently it is not.

    > Theoretically, firewall is unnecessary. In practical terms, for the
    > effort and value involved, firewall is the cheapest, easiest, most
    > effective cover-all security solution. That doesn't preclude using layers
    > (many layers) of redundant security. Actually, many layers are best.
    > Look for and implement them.


    for the services I will expose, i definately will, but for the services
    I only use locally I dont think I will spend much time on the extra
    layer, its just easier to block the port with the firewall.

    > For controlling open ports and from where they can be accessed, iptables
    > (netfilter) is what you want.


    Thanks for your input.

    tom

  8. Re: security setup without firewall?

    Michael Heiming wrote:
    > In comp.os.linux.security Tom Forsmo :


    First of all, for this particular question, its about protecting a
    laptop, which I bring with me to customers and connect to potentially
    unsafe networks.

    > No they aren't, it is just you didn't spend the required time to
    > dig deeper into it. Using one or another helper app to setup
    > iptables will not teach you much if anything.


    Dont be so harsh, it may not be suitable for you, but it is for me.
    There are many things about linux I dont spend too much time on, I just
    want it to work, e.g. usb ports, bluetooth. Linux is complicated enough,
    so I spend time on the parts that matter to me. Right now, that would be
    to clear up a couple of things about firewall based security I have been
    wondering about for some time.

    > There are quite a few great iptables howto (www.tldp.org), which
    > explain in detail how packets traverse the Linux built in
    > firewall. If you get this basics it isn't that difficult anymore.


    You are missing the point, which is; to which degree a firewall is
    needed, how well the alternative solutions work and the effort they
    require. I have some thoughts on it, but I wasnt really sure, thats why
    I asked. So, I wont be able to answer my own question much better by
    reading about the all details of how a firewall work or how to set it up.

    > Just because your sshd was likely per distro package compiled
    > with support for tcp_wrappers. Apache isn't usually, since mostly
    > the purpose of some http server is to let people view stuff and
    > apache has its own layers of access control which are iirc finer
    > graded then the additional access control sshd has built in.
    > Apart from the huge security difference from shell access to http
    > access.


    I gathered as much, but the point was that it was an example which
    showed that it does not control port access the way I thought, i.e. as a
    controller of all access to all ports independent of tcp_wrappers.

    > Dunno why you are scared about the visibility of ports? If you
    > don't run anything on them, there is no problem.


    But for the services I do run I dont necesarily want them to be visible
    to everyone, for example, there is no point in announcing to the world
    that my rpcbind port is open.

    > In short security is like an onion, the more layers you have the
    > better, if one should fail, usually due to misconfiguration you
    > still have more protecting you.


    but by closing the externably visible ports of services I will be using
    locally only, I can reduce the effort I need to keep the system
    reasonably safe. I will of course configure the services that does need
    global exposure, even for the ones that only needs it temporarily, so
    they are reasonably safe when the firewall port is open.

    > The easiest especially looking at sshd, is to deny direct root
    > logins at first. Probably one reason people get cracked, sshd
    > running open to the internet with direct root logins enabled. Any
    > attacker doesn't have to guess a user name but can just go on
    > trying to login as root with some dictionary attack tool. Now if
    > your root password is trivial you have already lost your machine.


    I have sshd set up with no root login and explicit list of user accounts
    allowed to login. I found out a year ago that after I installed an
    oracle db, it installed an oracle account. So when the infamous internet
    port scanners visited my machine, it found sshd and tried a couple of
    hundred different standard user account names, including the oracle
    account, with all the standard passwords. Fortunately none of the
    passwords they tried worked.

    tom

  9. Re: security setup without firewall?

    left_coast wrote:
    > Tom Forsmo wrote:
    >
    >> I have been hearing from different sources that a truly good security
    >> setup does not require a firewall. Of course that depends on the
    >> situation for the system. but if one considers a single home computer,
    >> is it plausible to have basic security without a firewall?

    >
    > This philosophy requires that you maintain your system perfectly. That you
    > are always on top of your updates and that you make no mistakes that would
    > allow hackers into your system. Even on a home system, a firewall will add
    > an extra level of protection that makes it more difficult for a single
    > mistake to compromise a system.


    This is what I suspected, thanks for clearing it up for me.

    > BTW, shorewall is not the firewall, it is a method of configuring the
    > firewall. If you want a relatively easy front end, try Guarddog.
    >
    > http://www.simonzone.com/software/guarddog/


    fair enough, I will have a look at it.

    tom

  10. Re: security setup without firewall?

    In comp.os.linux.security Tom Forsmo :
    > Michael Heiming wrote:
    >> In comp.os.linux.security Tom Forsmo :

    [..]

    >> No they aren't, it is just you didn't spend the required time to
    >> dig deeper into it. Using one or another helper app to setup
    >> iptables will not teach you much if anything.


    > Dont be so harsh, it may not be suitable for you, but it is for me.


    There was nothing harsh about it, if speaking out as it seems is
    to harsh for you, better not post to usenet.

    > There are many things about linux I dont spend too much time on, I just
    > want it to work, e.g. usb ports, bluetooth. Linux is complicated enough,


    No it isn't at all, you seem just not used to it enough.

    [..]

    > I have sshd set up with no root login and explicit list of user accounts
    > allowed to login. I found out a year ago that after I installed an
    > oracle db, it installed an oracle account. So when the infamous internet
    > port scanners visited my machine, it found sshd and tried a couple of
    > hundred different standard user account names, including the oracle
    > account, with all the standard passwords. Fortunately none of the
    > passwords they tried worked.


    You just don't run an oracle db on a machine with open ssh to the
    internet, you usually not even run such a beast inside some dmz,
    it should be avoided.

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 75: There isn't any problem

  11. Re: security setup without firewall?

    Michael Heiming wrote:
    > In comp.os.linux.security Tom Forsmo :
    >> Michael Heiming wrote:
    >>> In comp.os.linux.security Tom Forsmo :

    > [..]
    >
    >>> No they aren't, it is just you didn't spend the required time to
    >>> dig deeper into it. Using one or another helper app to setup
    >>> iptables will not teach you much if anything.

    >
    >> Dont be so harsh, it may not be suitable for you, but it is for me.

    >
    > There was nothing harsh about it, if speaking out as it seems is
    > to harsh for you, better not post to usenet.


    My point is that you have your preferences about what is important and I
    have mine. For you to demand that I have the same preferences as you
    have or that I must attack a task with the same perseverence and
    earnestness as you, is a bit harsh if not a bit dis-repectful.

    >
    >> There are many things about linux I dont spend too much time on, I just
    >> want it to work, e.g. usb ports, bluetooth. Linux is complicated enough,

    >
    > No it isn't at all, you seem just not used to it enough.


    well it is if you dont know it. but in any case why do you think that
    is? the short answer is, I dont need to spend that much time on it.
    because my task is systems development, not linux sysadmin. that is why
    I leave those more advanced issues to guys like you who do want to spend
    all their time with these issues.

    simply put, that is why you probably are an expert linux sysadm and I am
    an expert systems developer and not the other way around.

    > You just don't run an oracle db on a machine with open ssh to the
    > internet, you usually not even run such a beast inside some dmz,
    > it should be avoided.


    its my own home computer which I do development on. so the network and
    security setup is adjusted to what I need, which is not the same need as
    a typical corporation. So, I use my firewall machine as my internal
    server as well, because its the only machine that is running 24/7.

    tom

  12. Re: security setup without firewall?

    In comp.os.linux.security Tom Forsmo :
    > Michael Heiming wrote:
    >> In comp.os.linux.security Tom Forsmo :
    >>> Michael Heiming wrote:
    >>>> In comp.os.linux.security Tom Forsmo :


    [ Linux difficult? ]

    >> No it isn't at all, you seem just not used to it enough.

    [..]

    > simply put, that is why you probably are an expert linux sysadm and I am
    > an expert systems developer and not the other way around.


    Indeed, you come quite some time across commercial software,
    which isn't using the distro package format, without any
    security, full of bugs and other floating mines...Of course sold
    as the latest and greatest stuff even if it depends on a bunch of
    compatibility packages no OSS stuff requiers...

    This is what happens if marketing drives release changes and
    demands features...

    Good luck

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 53: Little hamster in running wheel had coronary;
    waiting for replacement to be Fedexed from Wyoming

  13. Re: security setup without firewall?

    Michael Heiming wrote:
    > In comp.os.linux.security Tom Forsmo :
    >> Michael Heiming wrote:
    >>> In comp.os.linux.security Tom Forsmo :
    >>>> Michael Heiming wrote:
    >>>>> In comp.os.linux.security Tom Forsmo :

    >
    > [ Linux difficult? ]
    >
    >>> No it isn't at all, you seem just not used to it enough.

    > [..]
    >
    >> simply put, that is why you probably are an expert linux sysadm and I am
    >> an expert systems developer and not the other way around.

    >
    > Indeed, you come quite some time across commercial software,
    > which isn't using the distro package format, without any
    > security, full of bugs and other floating mines...Of course sold
    > as the latest and greatest stuff even if it depends on a bunch of
    > compatibility packages no OSS stuff requiers...
    >
    > This is what happens if marketing drives release changes and
    > demands features...


    You are making general comments about a subject that is not relevant to
    my question. Further on, the statement I made is taken out of context
    and can not be taken to mean I dont care about other things, when
    developing systems, than getting it done.

    tom

  14. Re: security setup without firewall?

    In comp.os.linux.security Tom Forsmo :
    > Michael Heiming wrote:
    >> In comp.os.linux.security Tom Forsmo :
    >>> Michael Heiming wrote:
    >>>> In comp.os.linux.security Tom Forsmo :
    >>>>> Michael Heiming wrote:
    >>>>>> In comp.os.linux.security Tom Forsmo :


    >> [ Linux difficult? ]


    >>>> No it isn't at all, you seem just not used to it enough.

    >> [..]


    >>> simply put, that is why you probably are an expert linux sysadm and I am
    >>> an expert systems developer and not the other way around.


    >> Indeed, you come quite some time across commercial software,
    >> which isn't using the distro package format, without any
    >> security, full of bugs and other floating mines...Of course sold
    >> as the latest and greatest stuff even if it depends on a bunch of
    >> compatibility packages no OSS stuff requiers...


    >> This is what happens if marketing drives release changes and
    >> demands features...


    > You are making general comments about a subject that is not relevant to
    > my question. Further on, the statement I made is taken out of context
    > and can not be taken to mean I dont care about other things, when
    > developing systems, than getting it done.


    I don't know and who cares, if you dislike comments to you
    contributions simply killfile the poster or just stop asking
    usenet, it is that easy. ;-)

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 54: Evil dogs hypnotised the night shift

+ Reply to Thread