[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] IPchains again

Subject: RE: [cobalt-security] IPchains again
From: "Eric Frisch" <ericf@xxxxxxxxxxx>
Date: Tue, 24 Jul 2001 21:45:29 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Nothing happens until the ipchains program is run and it adds only one rule
at a time, many are required for a typical configuration.  I don't know if
carefully clamping down is all that practical.  If you look at almost any
firewall rule set it begins with a bunch of permits followed by drop
everything else, you would not see the results of your work until the end
and it may be too late.  If not familiar with this I would not try the roll
your own approach.  I would grab something like gShield that has a flexible
and tight security policy and just make sure that all the public services
are defined and several "client-hosts" and "client-services" are defined so
you can get at the thing from multiple places with telnet and ssh during the
first pass.  You will have to add port 81 for the admin interface to
"client-services".  I have used gShield on several Raq4R systems and some
other Linux boxes and haven't locked myself out yet.  The config files are
simple and well documented and the scripts are not glitchy (I had tried some
that were).  It is always scary messing with network configs from afar and
it should be scary as things can and do go wrong, seen it many times.  You
might want to build your comfort level a bit by setting up a local Linux
test box and try out some configs.  Depending on how "remote" remote is, it
would be easy to bail out with a serial console cable, just be prepared for
that as a contingency plan and make the change off-hours if applicable.

Eric

> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Mark
> Sent: Tuesday, July 24, 2001 8:18 PM
> To: Cobalt-Security@List. Cobalt. Com
> Subject: [cobalt-security] IPchains again
>
>
> I read with interest at the success stories, but it still
> scares me a little to install this on my remote RAQ3, with
> the possibility of locking everyone, including myself, out
> of the box.
> My question, once installed, is the security fully open,
> i.e. no restrictions? Leaving me to "carefully" clamp
> it down?
>
> Regards
> Mark
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] IPchains again
  - From: Mark

Prev by Date: Re: [cobalt-security] IPchains again
Next by Date: [cobalt-security] Port 80 and Roadrunner
Previous by thread: Re: [cobalt-security] IPchains again
Next by thread: [cobalt-security] Port 80 and Roadrunner

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index