[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security: FreeBSD vs OpenBSD
On Mon, Feb 04, 2002 at 02:59:05PM -0330, Martin Marconcini wrote:
> You are suggesting that we should create Mini-Firewalls on every box?
> (that is, by configuring pf/ipf or whatever?)
This is not a bad thing. The traditionnal "one-local-network/one
firewall/internet" scheme has limits :
- You have a single point of failure. If the firewall crashes or gets rooted,
and your network is dead.
- Your firewall must support all traffic. It doesn't scale. Keeping a lot of
states for a lot of machines in a single machine simply doesn't work.
- You can't protect machines from internal attacks.
- You can't do per system user accounting.
- You add a hop.
Things like filtering reserved classes and internal addresses on ext
interface to limit spoofing can be done on the router. Once the rules are
set on the router, you usually never change them again. No need for an
additionnal firewall to do that.
Having PF rules on every box is far more flexible. You can explicitely
allow traffic only between two machines of the internal network. It of
courses scales infinitely well. Per-user accounting is possible. If a
firewall crashes, only one server crashes. You never run out of states. You
don't need to module states or scrub the traffic. You can easily restrict
outgoing traffic to only match what local services are supposed to ever
connect to (backdoors can't be accessed except from 127.0.0.1), etc.
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/