[rescue] Solaris security
Loomis, Rip
rescue at sunhelp.org
Mon Jul 30 09:16:35 CDT 2001
> -----Original Message-----
> From: David Passmore [mailto:dpassmor at sneakers.org]
> On Sun, Jul 29, 2001 at 12:23:33PM -0400, Brian Hechinger wrote:
>
>>> users tend to punch nasty holes in them when they find
>>> them inconvenient.
>>
>> uhm, you let anyone else touch your firewall rules? not a
>> chance. :)
>
> I advocate TCP wrappers over something like ipfilter for one
> reason; they force you to think about things as services rather
> than as generic IPs and port numbers. It's simpler too, which
> always helps. :)
I advocate TCP wrappers *in addition to* ipfilter in most cases--
because there are many services that TCP wrappers can't protect
without re-compiling (and some that TCP wrappers can't protect
at all)...and a stateful packet filter beats no filter any day.
I also strongly disagree with the idea that firewalls are a
crutch. Firewalls are a tool, but they are a useful part of
defense in depth. If you've got more than about 4 systems then
it's probably worth having a stateful packet filter or an
application-layer gateway to help in the protection...
--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security
http://www.brainbench.com [Transcript 1923411]
More information about the rescue
mailing list