[Dshield] Re: File Sharing
micheal at cancercare.net
Tue Oct 29 00:37:42 GMT 2002
No offense taken here. I'm a firm believer that there needs to be some sort of packet filter don't at least at the ingress router into the network. Better yet to have that and a firewall / packet filter system as well. Honestly, I'd not considered the discounts to education facilities. It had completely slipped my mind. That may not be the mindset of everyone that runs / maintains a network. That's all well and good since I'm not the one that has to worry about it.
Cancer Care Network
----- Original Message -----
From: Ted Miller
To: list at dshield.org
Sent: Monday, October 28, 2002 12:50 PM
Subject: [Dshield] Re: File Sharing
We really should remove cost as a reason for educational institutions to avoid purchasing a hardware firewall. The discount that the major vendors offer (I am familiar with Cisco & SonicWall, but I am sure the others are similar) for these organizations are really, really sweet. In some cases it goes up to a fifty percent discount!
In my mind there is a difference between "reason" and "excuse"... cost may be an excuse for not implementing a proper firewall, but it is never a reason. There may be other reasons, but frankly nothing in this discussion has convinced me of it. I feel that a firewall is a necessary line of defense for anyone that is connected to the Internet, be it a home DSL/Cable Modem user, small business, corporation, government entity, or educational institution.
Of course, this is only my opinion. I trust that everyone will take this in the spirit of open discussion as intended, and not be offended!
Micheal Patterson <micheal at cancercare.net> wrote:
Bob, I can't tell that you're not missing anything. Many of the worlds top
security analysts will tell you that in today's day and age of the Internet,
it's best to have a tiered security structure of some sort. Personally, I
have access lists at my border router that are pretty open but catch the
most obvious issues (Code Red, netbios, ip spoofing, etc), then I have a
firewall directly behind it that blocks everything by default with the
exception of traffic to the various necessary services that have to be made
available for the company to function. The firewall is stateful for outbound
traffic so dynamic rules are created as needed. These dynamic rules time out
at 120 seconds. The deny rule logs all rejected traffic to give me a pretty
good idea what's trying to get in. If necessary, I have the ability to rate
limit outbound traffic at the firewall as well but so far, that's not been
necessary BUT it is available just in case.
As fart as locations not using / wanting a firewall, IMHO it usually boils
down to 1 of 3 things:
1. Money, 2. Politics and 3. Ignorance (not stupidity)
Re 1: People don't want to spend the money to purchase a hardware firewall.
Nor do they want to take the time to implement any system with one built in
(*BSD, Linux, etc) using IPFW, IPFilter, IPChains, etc. Various companies
that I've run into over the years think that a firewall for a DS3 needs to
be one massive machine when it usually doesn't. I've known many locations
that are running P2 systems with 128mb ram that have been just laying around
doing nothing and are now firewall / packet filter systems and they run fine
as long as that's ALL they do.
Re 2: Persons in charge feel that there is no need to restrict traffic from
their network nor do they make any allowances "just in case" they have a
need to do so. It's all a "damn, what do we do ! now?" thing when reality
Re 3: People blindly believe that their systems are secure because they're
running latest patches. Not taking into consideration that there may be
other insecure items that just haven't been discovered yet. They trust MS to
completely patch against exploits, etc. They believe that the vendors are
taking action with their best interests in mind. This isn't always true, but
they believe it.
For me, I'd prefer to have as many locks on my network as I can get my hands
----- Original Message -----
From: "Bob Savage"
Sent: Monday, October 28, 2002 8:41 AM
Subject: RE: [Dshield] Secure computing (was: Port 135)
> I know this discussion is way over my head, but I don't understand the
> resistance here to using a firewall of some kind as part of the program.
> I must be missing a basic concept. Why would this be looked at
> differently in an educational institution? Isn't it just common sense
> to put a lock on the door even in a school?
> Bob Savage
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list