[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ccp4bb]: Security, Firewalls etc.



***  For details on how to be removed from this list visit the  ***
***          CCP4 home page http://www.ccp4.ac.uk         ***

I realize this topic may have been pummeled a bit, so this may not be much 
help now, but what the heck...

On Fri, 30 Aug 2002, Dr Peter C E Moody wrote:

> 
> Do you all have firewalls or rely on keeping your operating systems up to
> date?

Both, which may be a hassle, but a necessary one.  ;)

> Is Smoothwall on a PC enough? How much will it cost, and how easy 
> is it to set up?

I've heard nothing but great things about smoothwall - its free, very
small (20 megabytes to install), and is easy to configure.  For most
firewall applications, it seems to work great (especially if budget is an 
issue, and you don't want to deal with all the details of system 
administration in order to manage it).

> How do you manage to log in and ftp data from
> synchrotrons without allowing in hackers?
> 

If I understand this correctly, if you want to set up your smoothwall
server as an ftp server, good luck.  Smoothwall doesn't include an FTP
server anymore - you'll either have to use a different distribution or use
scp/sftp instead.  Of course, you could always forward the port(s) through
the firewall, but in any case, an ftp server requires monitoring and 
control with xinetd (NOT inetd) and netfilter.  I tend to scp my data to 
a firewalled box (which is also the fileserver, dare I say).

On Fri, 30 Aug 2002, Kevin Cowtan wrote:
>
> Recent RedHat machines, and maybe some other linuces, have switched to
> using ipfilter instead of tcpwrappers - I don't know how to configure
> this properly.
>

netfilter/iptables is not a replacement for tcpwrappers, and should not be
considered as such.  (in fact, redhat includes both in all their
distributions that use the 2.4 kernel)  And having one without the other
is considered a Bad Thing.  tcpwrappers/xinetd may block certain IP
addresses, but much of this can be spoofed or circumvented (such as
fragmentation and certain forms of flooding) - netfilter offers a *slew*
of options to augment what tcpwrappers and xinetd offer (and if you want
to set up a router as well as a firewall, you'll need to do some packet
mangling with netfilter anyway).

> If you are not behind a firewall, you can add one very cheaply - an old
> PC, running a BSD-based firewall distro is probably best. These will
> often fit on a single floppy. There are Linux versions as well, but
> Linux is more widespread and thus vulnerabilities are better known.

Ahh, the advocates of linux would weep at such a statement - to the
thought that "security through obscurity" is sufficient, someone smarter
than I offers the response: "Crackers *love* that kind of naivete and prey
on it ruthlessly."  (Eric Raymond)

	-Tim F

-- 
---------------------------------------------------------

        Tim Fenn
        fenn@brandeis.edu
        Rosenstiel Basic Medical Sciences Research Center
        Brandeis University, Mail Stop 029
        415 South Street
        Waltham, MA 02454
        Phone:  (781) 736-4942
        FAX:  (781) 736-2405

---------------------------------------------------------