|
The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024
|
Latest message you have seen: Re: New UKHA Spinoff Group |
[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: Shuttle & via epia... now firewalls
> I don't think using an old 486 (?15 worth?) that I got free
> is throwing
> money away...
Perhaps not, but the original post referred to 3 via epia based PC's,
one
per task, which cost rather more than 15 quid.
> >My point was that pc hardware can serve several functions
> easily and not
> >require separate boxes for everything.
>
> If you're going to the trouble of building/using a hardware
> firewall, then
> you may as well do the job properly. Any changes you make to
See Mark Harrison's post on what a firewall *should* look like.
_that_ is doing the job properly.
Your =A315 pc is not.
If you're going to tell someone to do the job properly, then don't hold
up<=
BR>
your imperfect system as an example of how to do so!
> >Firewall software, simplistically does little more than say
> "hello packet.
> >Do I know you and am I allowed to let you in (or out)?".
>
> There's a fair bit more to it than that. IPCHAIN/IPTABLES
> basically does
> this, SNORT looks for patterns over multiple packets
> indicating intrusions
> into the network, then there's the logging, etc. etc.
Um...I was simplifying it. That's why there's no need to mention
logg=
ing
etc.
> >I set permissions on my shares appropriate to the situation
> - e.g. my media
> >files are read only to users in my domain.
> >My personal document shares are read/write to me but no
> access to anyone.
> >etc.
>
> Setting files as R/O will slow Mr. Hacker down for a few
Sorry, I meant the shares on my XP/2k boxes are set to allow users in
my
domain Read-Only access to the media files, not that the files were
simply<=
BR>
set to be read only.
This is a bit more secure than hoping they don't know how to go
right-click=
,
properties and uncheck the read-only flag :)
> Your personal shares won't last that long when he gets admin
> rights... Then
Of course anybody with admin rights can do anything they like. The
th=
ing is
to stop them getting admin rights in the first place.
My hardware firewall/router opening port 80 only to a specific machine
is
not the same as going 'look - here's my admin password, and BTW all my
NT
shares are open to world too'.
> he can pop back when he wants to. Perhaps he'll investigate
> your servers,
> find out what Homeseer is and turn all your taps on and flood
> the house? OR
Maybe he will find out what homeseer is, but given that I don't have
it,
then who cares? :D
> >Just because I run a firewall does not mean my network is
> 100% secure, even
> >if _nothing_ else is running on the box.
>
> No, but a properly built/configed wall will stop all but the
> best of 'em.
Well perhaps they'll look on your 'proper' =A315 firewall as more of a
challenge than my lowly hardware firewall and leave mine alone :]
> >I am arguing that it is not always necessary to go for the
> top security
> >system.
>
> True, but if you're going to bother, then do the job properly.
Oh so you _are_ going to go for a full on 3+ machine firewall,
utilising
different OS'es and firewall software at each stage?
After all, if _you're_ going to bother, then _you_ do the job properly.
> >You are arguing that more security is required to prevent
> Joe hacker using
> >your machine to attack a government system (Wargames anyone?)
>
> Check out http://www.honeynet.org<=
/a> unadvertised machines
> getting compromised
> 15mins after going online... And according to
Yes, we all know about ppl who get a broadband connection and plug it
straight into their PC with no protection at all.
And we all know there is software out there to scan a range of addresses
an=
d
see if there are any open ports at those addresses.
> >At least my hardware router is the external 'face' of the lan
>
> Yes, because bit of NAT is almost as good as a Cisco firewall :
then there's the packet filtering, port blocking, accesslogging, mac
addres=
s
restrictions.....
Please don't ridicule a product when you don't even know what it is or
what=
it's capabilities are.
> I don't mean to flame Tony, but the net is a dangerous place, and
it's=
You do a good job though :>
Yes, net attacks are on the increase.
Yes, ppl do connect their machines to the net without any security in
place=
Yes, there are ppl running port scanners out there
Yes, in an ideal world, we'd all have a 'proper' firewall that was
totally<=
BR>
invunerable to any kind of attack.
BUT
- Not everyone connects their machines to the net with no security in
place=
- Not everyone wants or needs that the level of protection afforded by
a
'proper' firewall.
- Anything less than 'proper' should not be dismissed as totally
insecure,<=
BR>
which is implied in your email.
Also, have you considered that by going for a 'proper' firewall (what
you
consider 'proper' (a $15 pc - not a multi machine firewall)) you may
infact=
increase the likelihood of being attacked?
A l33t hacker discovering your system is reasonably well protected may
feel=
you have something to hide - otherwise you wouldn't have that level of
protection, so they get to work and crack that puppy open (after all,
if
they can deal with firewalls costing tens of thousands of pounds then
they<=
BR>
can p*ss all over your cheap solution), get in and, realising there
really<=
BR>
is nothing of any interest there, they destroy all your files because
they<=
BR>
are so annoyed that _you_ caused them to waste their time hacking your
system when it was a b0ring system anyway.......
> Sermon over.
Thank fcuk for that :]
Lets not start a real flame war. As discussed with others
yesterday,<=
BR>
different ppl have different needs and views on the level of network
security you need.
I think this thread has run it's course now.
Tony
***********************************************************************
Visit our Internet site at http://www.rbsmarkets.com
This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorised to
retain, read, copy or disseminate this message or any part of it.
The Royal Bank of Scotland is registered in Scotland No 90312
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB
Regulated by the Financial Services Authority
***********************************************************************
Yahoo! Groups
Spons=
or |
|
For more information: http://www=
.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
Home |
Main Index |
Thread Index
|
|