[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Jim Gifford'" <jim at giffords dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 11:27:46 -0600
I agree with you on this.

My point (pre-sliced) was not that every key network/internet service
should be separate even at home (I actually don't have it that broken
down at work, WINS DNS and DHCP are all on the same server) but instead
that the firewall should be as much of a firewall as it could be.  I'm
using m0n0wall as a cheap security device.  I don't want to download
bl0atwall.  If Manuel or someone else wants bl0atwall they can have it.
I used to use MNF (Mandrake's firewall implementation), and it was
hideously bl0atwall.

(IFNIC: one bad rule crashes the firewall)

That's why I moved to m0n0wall.  It's so clean and simple.  That's what
makes m0n0 so great.  If Grampa wants the other, he can have the other,
but I don't want him ruining the *"powerfully complex simplicity" of
this firewall in the process.  Am I the mailing list leader/developer or
any other "important" or key part of m0n0? No.  I'm just a user.  If you
decide to add extravagant functionality to this "beauty," it won't be my
taste, and I'll find something else.

Would I /do I use those services on other computers? Yes.  I use samba
and the above mentioned services.  Would I want samba on my firewall? I
seriously would reject to such an idea - even at my house - even at my
"grandma's" house.

Would she be using samba in the first place? Probably not.

Brandon

-----Original Message-----
From: Jim Gifford [mailto:jim at giffords dot net] 
Sent: Tuesday, January 27, 2004 10:49 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Feature request which would make m0n0wall even
better ;)

On Tue, Jan 27, 2004 at 11:08:50AM -0500, Mark Spieth wrote:
> This is BAD BAD BAD BAD BAD! I can repeat it some more if you want...
A
> firewall should just be a firewall period end of story. If people
would
> keep things updated, then it might be a different case, But they
won't,
> hell I still see code red attacks out there.. 

For a company network, the firewall should only do firewall.  Separate
secure boxes inside the network should provide additional services.

In a home network, having everything in one box isn't as risky.  For one
thing, home networks aren't "juicy" targets like company networks are.

A real world physical example that might put this into perspective:

    At the last place I worked, we had proximity access cards.  You
    needed the card to get in the front door outside of normal hours.
    You needed the card to access the stairs and elevator from the
    ground floor.  You needed the card to access the machine rooms.
    There is a complicated alarm system, with dialout and cellular links
    to contact the alarm monitoring people.

    In my house, I have 1 key that fits both doors, and I keep the
    doors locked at all times (aside from during egress/ingress).
    I don't have a fancy alarm system.  I have one cat that might love
    an intruder to death.  I have several computers, some expensive home
    entertainment equipment, and standard appliances and furniture.

I don't have as strong or as expensive a security setup at home as they
had at work.  On the other hand, I have less than 30,000 dollars worth
of
stuff (that is likely a very high number actually), whereas the company
had several tens of millions of dollars worth of equipment.  Their risk
was greater, so their security measures were greater.

> The end result is and will be that these insecure *nix boxes running
all
> this extra software, will get hacked, now personally if you put extra
> stuff on your firewall and it gets hacked, and the hacker then deletes
> all your companies accounting files so that you don't get a paycheck,
I
> really could care less, But that won't be the end of it, They will
then
> use that hacked box to go hacking other peoples boxes including ones I
> manage and that's where I have a problem. You want NTP etc.. Go buy a
> $25.00 PII300 used box and run NTP behind your firewall, no guarantee
it
> won't get hacked, But your chances are much better than running it,
> samba and a whole mess of other things on your box...

In a home, many people *will not* dedicate 5 computers just for
"infrastructure".  1 or 2 perhaps, but even that is a stretch.  m0n0wall
on a soekris has the benefit of looking like a device instead of a
computer.  *grin*  In a home, people often don't have a DMZ, nor do they
generally need one.

If someone is running a network gateway with a lot of extra services
(including firewall, etc), and they are aware of the risks, then if they
get compromised, they will have to live with that.

I personally will be having my firewall only be a firewall (and once I
get my big server rebuilt, I'll turn off DHCP on the m0n0wall and put it
on the server instead).

Also consider that every extra machine you add has an OS and software
that must be kept up to date.  Someone has to manage that machine,
and stay on top of patches.  In a company network those costs are
expected.  In a home network, most people simply want things to work
without having to spend a lot of time making them work.

> Mark

jim

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch