RE: Specific question about: [MLUG - DISCUSSION] network scanning?

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: EMAIL:PROTECTED
Subject: RE: Specific question about: [MLUG - DISCUSSION] network scanning?
From: Chris W <EMAIL:PROTECTED>
Date: Mon, 02 Apr 2001 22:27:29 -0500 (CDT)
In-Reply-To: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED>
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED
User-Agent: IMP/PHP IMAP webmail program 2.2.3

Thanks, Neil, that was the kind of info I was looking for, about what 
levels tcp_wrappers vs. ipchains operate on.
__
Chris

Quoting Neil Bradshaw <EMAIL:PROTECTED>:

> For your ipchains ruleset, the best way to handle it is to
> allow
> everything behind the firewall to do whatever it wants (with
> modules on
> the firewall as needed), don't allow anything to send initial
> SYN packets
> to the machines behind the firewall (which ipmasq does very
> efficently),
> and only allow SYN packets to be sent to the firewall, which
> you should
> only be running SSH on. This way, a telnet session will not be
> possible
> regardless. Completely shut down xinetd and all other
> services, and only
> run essential daemons that don't use networking and SSH. This
> is a
> semi-strong setup. Protecting machines on the internal LAN
> from crap like
> fragmented packets, spoofing, illegal IPs, etc, helps out a
> lot.
> 
> tcp_wrappers operates at the software level in the TCP/IP
> level, thus, it
> can only protect so much. tcp_wrappers basically intercepts
> information
> from inetd/xinetd and the required daemon, looks at some basic
> rules the
> user puts into /etc/hosts.deny and /etc/hosts.allow, and
> decides whether
> or not to allow communcation. It rarely handles services
> outside
> inetd/xinetd.
> 
> ipchains is the best thing in the world because it operates at
> the
> transport level (tcp/udp streams/packets) and internet/network
> layer (ips,
> icmp, etc). It controls all communications to the firewall,
> and mahines
> behind it. For this reason, it is far superior to a software
> level
> security system like tcp_wrappers.
> 
> Regards,
> Neil
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

References:
- RE: Specific question about: [MLUG - DISCUSSION] network scanning?
  - From: Neil Bradshaw <EMAIL:PROTECTED>

Prev by Date: RE: [MLUG - DISCUSSION] network scanning?
Next by Date: Re: [MLUG - DISCUSSION] network scanning?
Previous by thread: RE: Specific question about: [MLUG - DISCUSSION] network scanning?
Next by thread: Re: Specific question about: [MLUG - DISCUSSION] network scanning?
Index(es):
- Date
- Thread