[Dshield] Secure computing (was: Port 135)

Mark Rowlands mark.rowlands at minmail.net
Tue Oct 29 22:07:35 GMT 2002


> It is more analogous to a hotel and apartment building.  The lobby and
> halls may be wide open, but you still have individual locks on every
> room, and visitors can knock on individual rooms.  However, if you
> want the firewall approach, then the visitor must buzz the room, and
> the person in room must buzz the main entrance door open to even get
> in the building.

The Republican Society for the Prevention of Abuse of Analogies would like to 
state it's repugnance at the constant overuse of the open door, knocking on 
open windows, barking at the moon analogy....  it is high time it was retired 
and allowed to go and have a nice sleep in a quiet corner.

What is legal and what is isn't is defined quite simply by the laws in your 
local political unit of control, be that state, Federal republic or in my 
case Raving Megalomanical Dictatorship. If it don't say it is illegal, it 
aint. It may be against your ISP's AUP, it may be rude or tasteless behaviour 
but unless an applicable law says it is illegal....

As to the relative desirability of firewalls / router policies etc, this is a 
purely resource based decision. How you determine the tradeoffs in terms of 
time / hardware / convenience can only ever be a personal judgement based 
around your user communities needs and desires  (not always the same thing 
btw) and your perception of the risks involved.

It may be your opinion  that every one should have a firewall, but that is all 
it is, your opinion and I may well have a commercial reason for not doing so 
and in the Raving Megalomaniacal Dictatorship, we don't do stuff until we got 
a sound commercial / legal reason for doing so. 

For example I am currently working on a network where every machine has filter 
based rulesets on every interface detailing specifically which hosts / 
networks may talk with each other and on which ports. Every single 
unnecessary binary has been stripped out and there are centralised encrypted 
logs for  just about everything flying about. But there is a valid commercial 
reaon for it, the customer isn't doing it because he wants to be a nice 
neighbour...

I have another customer where there is virtually no protection, but the 
judgement there is that the money is better spent on locking up the toolshed 
and making sure the drinks cabinet is kept well stocked....

written with love from behind a freebsd ipfw firewall and a generally liberal 
ruleset loaded.








More information about the list mailing list