>> In a home network, having everything in one box isn't as risky. For
>>thing, home networks aren't "juicy" targets like company networks are.
This is an extremely incorrect statement, Infact most script kiddies
(which comprise most of the hacking attempts) do huge scans on network
addresses they have no idea who they are hacking, and would hack a home
machine first, you are less likely to get caught or even have the end
user know the system was compromised. Once the home machine is hacked
they will then use it to go after other systems.
From: Jim Gifford [mailto:jim at giffords dot net]
Sent: Tuesday, January 27, 2004 11:49 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Feature request which would make m0n0wall even
On Tue, Jan 27, 2004 at 11:08:50AM -0500, Mark Spieth wrote:
> This is BAD BAD BAD BAD BAD! I can repeat it some more if you want...
> firewall should just be a firewall period end of story. If people
> keep things updated, then it might be a different case, But they
> hell I still see code red attacks out there..
For a company network, the firewall should only do firewall. Separate
secure boxes inside the network should provide additional services.
In a home network, having everything in one box isn't as risky. For one
thing, home networks aren't "juicy" targets like company networks are.
A real world physical example that might put this into perspective:
At the last place I worked, we had proximity access cards. You
needed the card to get in the front door outside of normal hours.
You needed the card to access the stairs and elevator from the
ground floor. You needed the card to access the machine rooms.
There is a complicated alarm system, with dialout and cellular links
to contact the alarm monitoring people.
In my house, I have 1 key that fits both doors, and I keep the
doors locked at all times (aside from during egress/ingress).
I don't have a fancy alarm system. I have one cat that might love
an intruder to death. I have several computers, some expensive home
entertainment equipment, and standard appliances and furniture.
I don't have as strong or as expensive a security setup at home as they
had at work. On the other hand, I have less than 30,000 dollars worth
stuff (that is likely a very high number actually), whereas the company
had several tens of millions of dollars worth of equipment. Their risk
was greater, so their security measures were greater.
> The end result is and will be that these insecure *nix boxes running
> this extra software, will get hacked, now personally if you put extra
> stuff on your firewall and it gets hacked, and the hacker then deletes
> all your companies accounting files so that you don't get a paycheck,
> really could care less, But that won't be the end of it, They will
> use that hacked box to go hacking other peoples boxes including ones I
> manage and that's where I have a problem. You want NTP etc.. Go buy a
> $25.00 PII300 used box and run NTP behind your firewall, no guarantee
> won't get hacked, But your chances are much better than running it,
> samba and a whole mess of other things on your box...
In a home, many people *will not* dedicate 5 computers just for
"infrastructure". 1 or 2 perhaps, but even that is a stretch. m0n0wall
on a soekris has the benefit of looking like a device instead of a
computer. *grin* In a home, people often don't have a DMZ, nor do they
generally need one.
If someone is running a network gateway with a lot of extra services
(including firewall, etc), and they are aware of the risks, then if they
get compromised, they will have to live with that.
I personally will be having my firewall only be a firewall (and once I
get my big server rebuilt, I'll turn off DHCP on the m0n0wall and put it
on the server instead).
Also consider that every extra machine you add has an OS and software
that must be kept up to date. Someone has to manage that machine,
and stay on top of patches. In a company network those costs are
expected. In a home network, most people simply want things to work
without having to spend a lot of time making them work.
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch