[rescue] Solaris security

Loomis, Rip rescue at sunhelp.org
Mon Jul 30 09:16:35 CDT 2001


> -----Original Message-----
> From: David Passmore [mailto:dpassmor at sneakers.org]
> On Sun, Jul 29, 2001 at 12:23:33PM -0400, Brian Hechinger wrote:
> 
>>> users tend to punch nasty holes in them when they find 
>>> them inconvenient.
>> 
>> uhm, you let anyone else touch your firewall rules?  not a 
>> chance. :)
>
> I advocate TCP wrappers over something like ipfilter for one 
> reason; they force you to think about things as services rather
> than as generic IPs and port numbers. It's simpler too, which
> always helps. :)

I advocate TCP wrappers *in addition to* ipfilter in most cases--
because there are many services that TCP wrappers can't protect
without re-compiling (and some that TCP wrappers can't protect
at all)...and a stateful packet filter beats no filter any day.

I also strongly disagree with the idea that firewalls are a
crutch.  Firewalls are a tool, but they are a useful part of
defense in depth.  If you've got more than about 4 systems then
it's probably worth having a stateful packet filter or an
application-layer gateway to help in the protection...

--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security
http://www.brainbench.com  [Transcript 1923411]



More information about the rescue mailing list