firewall

Mon Sep 1 16:15:10 MST 2014

George,

That brings up an interesting point that I think is worth a mention.
Especially in production networks, it's important to understands that
firewalls, IDS/IPS and monitoring are all separate concerns.  Blocking
outbound traffic is generally more advisable if your worried about
preventing spam from infection machines or stopping reverse shell call
homes from compromised machines (the second is generally false security
unless you're *really* restrictive outbound) whereas an IDS is more
appropriate for detecting problems.  Other than occasionally blocking port
25 outbound, I don't block outbound traffic, however I do collect a lot of
metrics, use an IDS system and alert on suspicious behavior.  I would
recommend all sys-admins do the same on production networks, on my home
network I don't bother with any of it but everyone should gauge their risk
and comfort levels for themselves.

Thanks,

On Sat, Aug 30, 2014 at 3:25 PM, George Toft <george at georgetoft.com> wrote:

>  Because I had outgoing rules defined, I actually found out I had an
> infected Windows 98 box (yeah - long time ago).  Said Win98 box was running
> a leading AV program and was infected by one of the most popular viruses.
> This event boosted my faith in outbound monitoring and destroyed my faith
> in AV products.
>
> Regards,
>
> George Toft
>
> On 8/27/2014 9:39 AM, Lisa Kachold wrote:
>
> The most important thing you can do is FIREWALL outbound traffic as well
> as inbound.
>
>  It's a great deal of work, but clearly nepharious traffic will be
> dropped.
>
>
> On Wed, Aug 27, 2014 at 7:32 AM, Bob Elzer <bob.elzer at gmail.com> wrote:
>
>> My question would be, how many times a day does someone try to break into
>> your system ?
>>
>> If you don't know the answer then maybe you should be running a firewall.
>>
>> It really depends on whether your network is secure or not, usually what
>> secures your network is a firewall. If that's the one on your router then
>> that should be enough.
>>
>> Looking in your log files for strange IP's and failed password attempts
>> will let you know if people are trying to get in, if you're running a web
>> server look in the error logs for attempts to access non existing files,
>> usually a bunch from the same IP.
>>
>> Windows may have more vulnerabilities, but they will still try to break
>> into Linux systems.
>>
>> Search and read about fail2ban, that's one tool to use when you need to
>> have a service open to the internet.
>>
>> Hope this helps
>>  On Aug 26, 2014 8:15 PM, "Michael Havens" <bmike1 at gmail.com> wrote:
>>
>>>  I hear people say, "Even Linux users need a firewall."
>>>  My question is..... why? I've runlinux since '98 w/o a firewall (aside
>>> from the one sent with my modem/router). Isn't that good enough?
>>>  :-)~MIKE~(-:
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>

-- 
Paul Mooring
Operations Engineer
Chef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20140901/379c3f9d/attachment.html>