[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: azrues and selinux

To: silug-discuss@silug.org
Subject: Re: azrues and selinux
From: "Bryan J. Smith" <b.j.smith@ieee.org>
Date: Thu, 23 Feb 2006 16:50:16 -0800 (PST)
In-Reply-To: <676847c60602231241h57f0bba3v7ed4d4d6889b5063@mail.gmail.com>
Organization: Southern Illinois Linux Users Group
Reply-To: b.j.smith@ieee.org
Sender: silug-discuss-owner@silug.org

"Koree A. Smith" <koree@ameth.org> wrote:
> I think he was just saying that being behind a NAT router was
> sufficient enough.  Which, for the most part, is true.

Hasn't been for a long time.  Even Firefox is suseptible to spyware,
unless you turn Javascript and other things off.  The small little
tools in a security appliance really help you KNOW when you have been
comprised.

> Most home users don't need a robust, stateful firewall if they're
> behind NAT.

First off, most of these 'Ritters run Linux or VxWorks, and _do_ have
a "robust, stateful firewall."  Understand that.

Secondly, this is _not_ about a layer-3/4 firewall -- let alone a
"allow everything out ... be my guest" firewall.

Since most people don't want to deal with deny-all-outgoing by
default firewalls, or tweak security, they are at the mercy of what
their clients do.  Which means you need at least a basic IDS to catch
96-99% of the common compromises.

Even *I* got hit last year -- with Mozilla/Firefox no less!

> Your only real concern at that point is spoofing,

Huh?  99.99% of your compromises will be browser-based.

> and then security flaws in the router itself.

Huh?  The router helps you _zilch_ when you're hit on the browser.

> While NAT isn't a firewall, it does offer some level of security,
> even if it is partially from obscurity.

Again, these 'Ritters _are_ SPF -- often with Linux or VxWorks. 
Don't mistake that.

> If one starts forwarding ports, that can change things...

Port forwarding services is typically not the main issue for home
users, period.  The superstore SOHO SPF _died_ as a _minimal_ amount
of protection at least 2-3 years ago.

Having an IDS catch a major piece of spyware on your network within
the first 12 hours is priceless.

-- 
Bryan J. Smith     Professional, Technical Annoyance
b.j.smith@ieee.org      http://thebs413.blogspot.com
----------------------------------------------------
*** Speed doesn't kill, difference in speed does ***

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- Re: azrues and selinux
  - From: "Koree A. Smith" <koree@ameth.org>

Prev by Date: Re: Installing software without a package manager
Next by Date: Re: Installing software without a package manager
Prev by thread: Re: azrues and selinux
Next by thread: Bittorrent share ratio
Index(es):
- Date
- Thread