[Sussex] FTP - Fedora core 3

Jon Fautley jfautley at redhat.com
Thu Aug 11 10:16:56 UTC 2005 

Ronan Chilvers wrote:
> On Thu, 11 Aug 2005 09:16:58 +0100
> Jon Fautley <jfautley at redhat.com> wrote:
> 
> 
>>Ronan Chilvers wrote:
>>
>>
>>>Great again!!  However, I don't think firewalling is really
>>>necessary if its a trusted internal system, ie: not internet
>>>facing.  Good idea to setup an anonymous FTP area maybe to restrict
>>>where FTPers can go, but a firewall sounds a bit like overkill,
>>>really.
>>
>>That is totally and utterly dependant upon the environment in which
>>the system is installed.
> 
> 
> True, which is why I said 'if its a trusted internal system'.  It also
> depends what services you have running.  It doesn't sound like there's
> a requirement for any of the more high-brow firewalling /
> traffic shaping stuff like rate limiting, port redirection, NAT, etc,
> in which case isn't the firewall simply blocking access to a
> range of ports?  If that's the case and you don't have services opening
> ports that don't need to be open, then why can't you dispense with a
> firewall?

How can you guarantee that you can trust everyone internal to your 
company? Do you implicitly trust everyone that has access to your 
corporate network?

Firewalling is different from traffic shaping, rate limiting, NAT, etc...

I recommend having a firewall on all systems unless there's a good 
reason not too for the following reasons:

1. Lazy Admins (nothing personal guys, I'm one of the worst ;) ) - you 
forget to switch off that one little service in the background

2. New Software - You've just installed MySQL and - whoops! - it's 
listening for TCP connnections on the Internet.

3. Trojans/etc - Stops people connecting to arbitary ports on your 
machine if they manage to install a trojan. (And yes, I limit what 
leaves my network too ;) )

4. yum update - oh dear, it's reenabled some random service and not told 
you (OK, I've never seen this happen with yum (or up2date), but have 
(albeit a long time ago) with another package management system).

> 
>>Just because it's sitting on the corporate LAN, doesn't mean it's a 
>>'trusted' environment.
> 
> 
> Sure, and I've just seen the post revealing the NHS connection, so
> AAARRRGHHH!!  But I'm still not really clear on where a firewall is
> going to help.  If I have HTTP, FTP and SMTP running with no other
> ports open and given the above caveats, my firewall is just blocking
> ports which aren't open anyway.  Isn't it?  My implication is that you
> shouldn't be using firewalling to make up for weaker security elsewhere
> in the configuration.

See Above. A firewall isn't there to 'make up' for weaker security, it's 
there to compliment the existing security of the system.

How often do you perform security scans on your system? I'm guessing, 
like most of the population of the world, you install them with 'good' 
security, and then leave them... kinda like I do *ahem*

> Maybe there's a requirement for using some stateful firewalling but
> again, it didn't sound like it.

With FTP, almost certainly - but that's another argument ;)

Jon
-- 
Jon Fautley <jfautley at redhat.com>     direct: +44 1483 739615
  Presales Technical Consultant        office: +44 1483 300169
  Red Hat UK                           mobile: +44 7841 558683
  10 Alan Turing Road, Surrey Research Park, Guildford GU2 7YF

More information about the Sussex mailing list