[TriLUG] Server Maintenance

Jon Carnes jonc at nc.rr.com
Fri Aug 1 15:13:36 EDT 2003


On Fri, 2003-08-01 at 13:34, Hite, Danny wrote:
> > Security is a process, though, and patching alone is not enough.  
> > Again, entire books have been written on this subject and it is too 
> > broad a subject to address quickly on a mailing list.
> 
> My initial thought was that the DMZ/SSN would isolate it enough, but Jon
> mentions:
> 
> > > > You should be running a firewall on the box, and blocking all 
> > > > in/outbound ports that are not currently used by the server.  Also, if
> > > > you are extra paranoid, you should look at running Tripwire 
> > > > (an intrusion detection tool).
> 
> How far should I take this in a DMZ/SSN part of my network with only 1 port
> being forwarded inbound?

Well you should be extra careful of anything that is accessible via the
outside (even by one port).  By blocking both inbound and outbound
traffic on unused ports and protocols you may save yourself a lot of
work should someone violate your network.  

I think its fine to open up some ports to your local subnet, but you
should definitely limit/justify the number of open ports that are open
to everybody all the time.

My approach to security is multi-layered. I like to limit access by
user, services, groups, and locations. This applies to the internal
network as well as the DMZ and the external network.

As an example, user johnq may need access to read the intranet webserver
from any corporate (or vpn'ed) location, but he only needs write access
to the testing groups section of the intranet and only while he is
accessing it from a machine physically located in the testing subnet.

It seems like a pain in the a** but once your network and groups are
setup to accommodate this kind of security approach then adding the
security becomes fairly easy and common place.

HtH - Jon




More information about the TriLUG mailing list