The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024

Latest message you have seen: Re: Fujitsu 510's -How?????


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Shuttle & via epia... now firewalls


  • To: <ukha_d@xxxxxxx>
  • Subject: RE: Shuttle & via epia... now firewalls
  • From: "Lee Varga" <lee@xxxxxxx>
  • Date: Wed, 10 Jul 2002 23:38:00 +0100
  • Mailing-list: list ukha_d@xxxxxxx; contact ukha_d-owner@xxxxxxx
  • Reply-to: ukha_d@xxxxxxx

>>> "Seems a bit of a waste IMO to have 3 - why not combine the internet
>>> gateway/firewall machine with the MP3 jukebox?"
>>
>> Hmmm, some people just don't get it do they...

>If you want to throw away your money on lots of overpowered/underutilised
>hardware then go ahead, but not everyone does.

I don't think using an old 486 (?15 worth?) that I got free is throwing
money away...

>My point was that pc hardware can serve several functions easily and not
>require separate boxes for everything.

If you're going to the trouble of building/using a hardware firewall, then
you may as well do the job properly. Any changes you make to the system
(unless you understand it inside/out - which I doubt most ppl do) WILL lead
to holes that can be exploited. You may have all your stuff backed up, but
rebuilding systems is a pain, and there are _so_ may other things/toys to
play with rather than fixing current ones. Do the job properly, do it once,
move on.

>Firewall software, simplistically does little more than say "hello packet.
>Do I know you and am I allowed to let you in (or out)?".

There's a fair bit more to it than that. IPCHAIN/IPTABLES basically does
this, SNORT looks for patterns over multiple packets indicating intrusions
into the network, then there's the logging, etc. etc.

>I set permissions on my shares appropriate to the situation - e.g. my media
>files are read only to users in my domain.
>My personal document shares are read/write to me but no access to anyone.
>etc.

Setting files as R/O will slow Mr. Hacker down for a few moments, before he
download/wipes them.
Your personal shares won't last that long when he gets admin rights... Then
he'll spam 1,000,000 emails, before launching a DDOS on Amazon and then
destroy everything. If you're lucky. Or he may just leave a backdoor open so
he can pop back when he wants to. Perhaps he'll investigate your servers,
find out what Homeseer is and turn all your taps on and flood the house? OR
download all your personal files?

>Just because I run a firewall does not mean my network is 100% secure, even
>if _nothing_ else is running on the box.

No, but a properly built/configed wall will stop all but the best of 'em.

>I am arguing that it is not always necessary to go for the top security
>system.

True, but if you're going to bother, then do the job properly.

>You are arguing that more security is required to prevent Joe hacker using
>your machine to attack a government system (Wargames anyone?)

Check out http://www.honeynet.org unadvertised machines getting compromised
15mins after going online... And according to http://www.theregister.co.uk
today web attacks are rapidly increasing...

>At least my hardware router is the external 'face' of the lan

Yes, because bit of NAT is almost as good as a Cisco firewall :

I don't mean to flame Tony, but the net is a dangerous place, and it's
getting worse. The number of automated attack tools grows by the day, so the
'l33t' script kiddies who have no idea about what they are doing/what damage
can be done grows by the day. They just download the attack tool, install
it, run it, it can 1000's of machines per hour, it does all the hard work...
they just sit back and watch the chaos.

If you're serious about your gear and it's connected to the net, build a ?15
firewall, do it properly , do it once, move on. Just don't get clever and
cut corners.

Sermon over.
Lee.




Yahoo! Groups Sponsor
ADVERTISEMENT

For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.