[Snort-users] Still Help Needed: i want to make a firewall
mkettler at ...4108...
Thu Apr 17 11:37:10 EDT 2003
At 12:34 PM 4/17/2003 -0500, Paul Schmehl wrote:
>This is a *horrible* "solution". How does this improve security?
Actually, this is a good solution in so far that servers on which nobody
ever web browses will not be as easily taken advantage of by worms that
rely on IE to spread once they infect the server. This isn't a
comprehensive security solution, but is a part of one. There is no single
change to a system that makes it secure, and this certainly isn't massive
improvement and there are ways around it, but it is indeed an small
It's quite similar to the "by default run no services that aren't needed"
principle used by OpenBSD. This way you're forcing people to turn on things
as they need them, instead of forcing them to realize on their own what
they don't need and turn it off. You're significantly more likely to
realize that something you need is disabled than to notice something you
don't need that's on.
It is however, no substitute for other aspects of securing a system, really
you need a wide variety of techniques applied together, and what they've
done here IS one of the basic tenets of a secure system (minimal service
and/or minimal privlege depending on how you look at it).
Some key aspects of a well secured system that spring to my mind include:
-minimal necessary service (don't offer services that nobody needs)
-minimal necessary privilege (don't provide users/programs access
to resources they don't need, ie: ACLs, file permissions)
-code audits (to find/fix bugs before hackers do)
-defensive code mechanisms (ie: buffer sanity checks, hardware
based no-exec, etc. to help prevent unknown holes from being exploited)
-integrity checking (useful for forensics and figuring out which
files got changed if an attack occurs, if nothing else.. ie: properly
configured tripwire or aide. And yes, by "proper" I do mean protecting the
database and application from being changed).
Admittedly they've not covered every base.. but hey, every little step they
take is _something_ and I'll be more than happy to praise MS for taking
steps to improve this area (while at the same time criticizing them for any
More information about the Snort-users