mailing list archives
Re: Need Help Building Linux Based Firewall
From: Devdas Bhagat <dodobh () nettaxi com>
Date: Sat, 30 Nov 2002 02:00:35 +0530
On 28/11/02 09:23 +0530, phani () myrealbox com wrote:
2. What are the application/software required to be installed?
Again, if you are running a separate box as the firewall , then *no* app
shld be installed except for the firewall.
What about application proxies? SOCKS? I would definitely consider
proxies as part of a firewall (OSI layer 7).
If you mean a firewall only as a stateful packet filter, then yes no
applications should be running there. But if you consider a firewall as
a security system, then application layer proxies should be included in
The best packet filter in the world will not protect your unpatched
public Apache box from being exploited. OTOH, breaking into a patched
Apache box is a different issue.
Security is a process. Defense must be in depth.
ACLs on the edge routers to prevent RFC 1918 addresses from entering
your network, egress filtering, SPFs to reduce noise close to
the edge, Application layer firewalls defending applications, secure
code in the applications themselves, encrypted network communications,
IDS, clued up users..........
The ultimate firewall of course, is secure code, running on a
physically secure machine, with level 8 security in place.
Firewalls as a bandage for bad code are a bad idea. Properly used to
segment networks with varying security requirements, they can be useful.
- Re: Reasons for using an external firewall, (continued)