security setup without firewall?

hi

I have been hearing from different sources that a truly good security
setup does not require a firewall. Of course that depends on the
situation for the system. but if one considers a single home computer,
is it plausible to have basic security without a firewall?

The reason I am asking is that I am looking for the simplest way to
centrally control which ports are open and for which adresses. The
problem is that most firewall systems on linux are pretty complex, e.g.
shorewall, and that makes it difficult to make it work properly.

I was initially thinking that setting hosts.deny/allow would cover a lot
of ground. When I tested it, by setting deny: ALL:ALL, I found that
SSH was affected but http was not. I also found that nmap finds all the
ports open. Yhis suggest to me that if I dont use a firewall I have to
separately configure all the different services to make a basic security
config.

So the question is, is there a single file such as allow\deny that can
be used to control visibility of ports and access in an easy way, or is
a firewall the only real option for this (which mean that I would have
to throw out shorewall and just use iptables directly)

tom

Tom Forsmo wrote:

> I have been hearing from different sources that a truly good security
> setup does not require a firewall. Of course that depends on the
> situation for the system. but if one considers a single home computer,
> is it plausible to have basic security without a firewall?

This philosophy requires that you maintain your system perfectly. That you
are always on top of your updates and that you make no mistakes that would
allow hackers into your system. Even on a home system, a firewall will add
an extra level of protection that makes it more difficult for a single
mistake to compromise a system.

For example, a person once advised someone to who wanted only to check
locally delivered mail on their system to install a POP on the system. If
the user followed this advise, a service port would be opened that could
give a possible point of attack for a hacker even if the user never
actually intended to use POP to access the mail remotely. With a firewall
installed, the POP port would also need to be opened for a hacker to get
access to the port.

BTW, shorewall is not the firewall, it is a method of configuring the
firewall. If you want a relatively easy front end, try Guarddog.

http://www.simonzone.com/software/guarddog/

On 2006-12-09, left_coast <void@void.not> wrote:
>
> BTW, shorewall is not the firewall, it is a method of configuring the
> firewall. If you want a relatively easy front end, try Guarddog.
>
> http://www.simonzone.com/software/guarddog/

......or Arno's iptables firewall script. You edit the config script,
it configures iptables. It starts with everything closed but stateful
http and email and you open things as needed. Even a dummy like me
can figure it out. ;)

http://rocky.molphys.leidenuniv.nl/

nb

Tom Forsmo wrote:

> hi
>
> I have been hearing from different sources that a truly good security
> setup does not require a firewall. Of course that depends on the
> situation for the system. but if one considers a single home computer,
> is it plausible to have basic security without a firewall?
>
> The reason I am asking is that I am looking for the simplest way to
> centrally control which ports are open and for which adresses. The
> problem is that most firewall systems on linux are pretty complex, e.g.
> shorewall, and that makes it difficult to make it work properly.
>
> I was initially thinking that setting hosts.deny/allow would cover a lot
> of ground. When I tested it, by setting deny: ALL:ALL, I found that
> SSH was affected but http was not. I also found that nmap finds all the
> ports open. Yhis suggest to me that if I dont use a firewall I have to
> separately configure all the different services to make a basic security
> config.
>
> So the question is, is there a single file such as allow\deny that can
> be used to control visibility of ports and access in an easy way, or is
> a firewall the only real option for this (which mean that I would have
> to throw out shorewall and just use iptables directly)

Hello tom. You don't have to "throw out" shorewall (i never used it) or
any other utility, but it is still good to know how to add or modify
iptables rules (from command line if necessary). Depending on your OS and
what is available, you probably have several GUI options. When you say
"centrally control", I understand *remotely control* several systems. And
that means "remotely". Your host* files are very useful here.

Firewall is not *strictly* required, if all accessible services are
properly protected. Point is that you want to block incoming UDP to
listening services that is not desirable. And block incoming TCP that is
not a connection you want. Those are most easily assured with firewall.

Much more knowledge is required to set each service individually to be
immune to intrusion. As needed, you will need to do that step by step.
You should do that anyway, firewall or no. And the most general, is that
if you don't need to expose a service to the world, then don't even have
it listening or even running.

Until you know how to find, stop and/or protect those "listening"
processes, you still need firewall. There is no "one size fits all"
solution to security. If you run a service accessible by the world, then
you need to understand and monitor that service if you want security.

Theoretically, firewall is unnecessary. In practical terms, for the
effort and value involved, firewall is the cheapest, easiest, most
effective cover-all security solution. That doesn't preclude using layers
(many layers) of redundant security. Actually, many layers are best.
Look for and implement them.

For controlling open ports and from where they can be accessed, iptables
(netfilter) is what you want.

Best wishes.

In comp.os.linux.security Tom Forsmo <spam@nospam.net>:
> hi

> I have been hearing from different sources that a truly good security
> setup does not require a firewall. Of course that depends on the
> situation for the system. but if one considers a single home computer,
> is it plausible to have basic security without a firewall?

Sure, you don't need a firewall at all, if you know what you are
doing. Since you ask, it is obvious you don't have the requiered
skills to do so until now.

> The reason I am asking is that I am looking for the simplest way to
> centrally control which ports are open and for which adresses. The
> problem is that most firewall systems on linux are pretty complex, e.g.
> shorewall, and that makes it difficult to make it work properly.

No they aren't, it is just you didn't spend the required time to
dig deeper into it. Using one or another helper app to setup
iptables will not teach you much if anything.

There are quite a few great iptables howto (www.tldp.org), which
explain in detail how packets traverse the Linux built in
firewall. If you get this basics it isn't that difficult anymore.

> I was initially thinking that setting hosts.deny/allow would cover a lot
> of ground. When I tested it, by setting deny: ALL:ALL, I found that
> SSH was affected but http was not. I also found that nmap finds all the

Just because your sshd was likely per distro package compiled
with support for tcp_wrappers. Apache isn't usually, since mostly
the purpose of some http server is to let people view stuff and
apache has its own layers of access control which are iirc finer
graded then the additional access control sshd has built in.
Apart from the huge security difference from shell access to http
access.

> ports open. Yhis suggest to me that if I dont use a firewall I have to
> separately configure all the different services to make a basic security
> config.

> So the question is, is there a single file such as allow\deny that can
> be used to control visibility of ports and access in an easy way, or is
> a firewall the only real option for this (which mean that I would have
> to throw out shorewall and just use iptables directly)

Dunno why you are scared about the visibility of ports? If you
don't run anything on them, there is no problem.

In short security is like an onion, the more layers you have the
better, if one should fail, usually due to misconfiguration you
still have more protecting you.

The easiest especially looking at sshd, is to deny direct root
logins at first. Probably one reason people get cracked, sshd
running open to the internet with direct root logins enabled. Any
attacker doesn't have to guess a user name but can just go on
trying to login as root with some dictionary attack tool. Now if
your root password is trivial you have already lost your machine.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 191: Just type 'mv \* /dev/null'.

notbob wrote:
> On 2006-12-09, left_coast <void@void.not> wrote:
>> BTW, shorewall is not the firewall, it is a method of configuring the
>> firewall. If you want a relatively easy front end, try Guarddog.
>>
>> http://www.simonzone.com/software/guarddog/
>
> .....or Arno's iptables firewall script. You edit the config script,
> it configures iptables. It starts with everything closed but stateful
> http and email and you open things as needed. Even a dummy like me
> can figure it out. ;)
>
> http://rocky.molphys.leidenuniv.nl/

Thanks, I will have a look at them.

tom

responder wrote:

> Hello tom. You don't have to "throw out" shorewall (i never used it) or
> any other utility, but it is still good to know how to add or modify
> iptables rules (from command line if necessary). Depending on your OS and
> what is available, you probably have several GUI options. When you say
> "centrally control", I understand *remotely control* several systems. And
> that means "remotely". Your host* files are very useful here.

Sorry I may have been a bit unclear by saying central control, what I
meant was a single file or similar which controls in a simple way which
ports are open and which are not. Shorewall is very complicated and
allmost everytime I use it I make mistakes, and spend lots of time
reading its documentation to try to understand what I did wrong. This
applies mostly to a bit more advanced setups, such as for vpn and ip
masqerading. So I am looking for a simple solution. I thought using
hosts.allow/deny could be that solution, but apparently it is not.

> Theoretically, firewall is unnecessary. In practical terms, for the
> effort and value involved, firewall is the cheapest, easiest, most
> effective cover-all security solution. That doesn't preclude using layers
> (many layers) of redundant security. Actually, many layers are best.
> Look for and implement them.

for the services I will expose, i definately will, but for the services
I only use locally I dont think I will spend much time on the extra
layer, its just easier to block the port with the firewall.

> For controlling open ports and from where they can be accessed, iptables
> (netfilter) is what you want.

Thanks for your input.

tom

Michael Heiming wrote:
> In comp.os.linux.security Tom Forsmo <spam@nospam.net>:

First of all, for this particular question, its about protecting a
laptop, which I bring with me to customers and connect to potentially
unsafe networks.

> No they aren't, it is just you didn't spend the required time to
> dig deeper into it. Using one or another helper app to setup
> iptables will not teach you much if anything.

Dont be so harsh, it may not be suitable for you, but it is for me.
There are many things about linux I dont spend too much time on, I just
want it to work, e.g. usb ports, bluetooth. Linux is complicated enough,
so I spend time on the parts that matter to me. Right now, that would be
to clear up a couple of things about firewall based security I have been
wondering about for some time.

> There are quite a few great iptables howto (www.tldp.org), which
> explain in detail how packets traverse the Linux built in
> firewall. If you get this basics it isn't that difficult anymore.

You are missing the point, which is; to which degree a firewall is
needed, how well the alternative solutions work and the effort they
require. I have some thoughts on it, but I wasnt really sure, thats why
I asked. So, I wont be able to answer my own question much better by
reading about the all details of how a firewall work or how to set it up.

> Just because your sshd was likely per distro package compiled
> with support for tcp_wrappers. Apache isn't usually, since mostly
> the purpose of some http server is to let people view stuff and
> apache has its own layers of access control which are iirc finer
> graded then the additional access control sshd has built in.
> Apart from the huge security difference from shell access to http
> access.

I gathered as much, but the point was that it was an example which
showed that it does not control port access the way I thought, i.e. as a
controller of all access to all ports independent of tcp_wrappers.

> Dunno why you are scared about the visibility of ports? If you
> don't run anything on them, there is no problem.

But for the services I do run I dont necesarily want them to be visible
to everyone, for example, there is no point in announcing to the world
that my rpcbind port is open.

> In short security is like an onion, the more layers you have the
> better, if one should fail, usually due to misconfiguration you
> still have more protecting you.

but by closing the externably visible ports of services I will be using
locally only, I can reduce the effort I need to keep the system
reasonably safe. I will of course configure the services that does need
global exposure, even for the ones that only needs it temporarily, so
they are reasonably safe when the firewall port is open.

> The easiest especially looking at sshd, is to deny direct root
> logins at first. Probably one reason people get cracked, sshd
> running open to the internet with direct root logins enabled. Any
> attacker doesn't have to guess a user name but can just go on
> trying to login as root with some dictionary attack tool. Now if
> your root password is trivial you have already lost your machine.

I have sshd set up with no root login and explicit list of user accounts
allowed to login. I found out a year ago that after I installed an
oracle db, it installed an oracle account. So when the infamous internet
port scanners visited my machine, it found sshd and tried a couple of
hundred different standard user account names, including the oracle
account, with all the standard passwords. Fortunately none of the
passwords they tried worked.

tom

left_coast wrote:
> Tom Forsmo wrote:
>
>> I have been hearing from different sources that a truly good security
>> setup does not require a firewall. Of course that depends on the
>> situation for the system. but if one considers a single home computer,
>> is it plausible to have basic security without a firewall?
>
> This philosophy requires that you maintain your system perfectly. That you
> are always on top of your updates and that you make no mistakes that would
> allow hackers into your system. Even on a home system, a firewall will add
> an extra level of protection that makes it more difficult for a single
> mistake to compromise a system.

This is what I suspected, thanks for clearing it up for me.

> BTW, shorewall is not the firewall, it is a method of configuring the
> firewall. If you want a relatively easy front end, try Guarddog.
>
> http://www.simonzone.com/software/guarddog/

fair enough, I will have a look at it.

tom

In comp.os.linux.security Tom Forsmo <spam@nospam.net>:
> Michael Heiming wrote:
>> In comp.os.linux.security Tom Forsmo <spam@nospam.net>:
[..]

>> No they aren't, it is just you didn't spend the required time to
>> dig deeper into it. Using one or another helper app to setup
>> iptables will not teach you much if anything.

> Dont be so harsh, it may not be suitable for you, but it is for me.

There was nothing harsh about it, if speaking out as it seems is
to harsh for you, better not post to usenet.

> There are many things about linux I dont spend too much time on, I just
> want it to work, e.g. usb ports, bluetooth. Linux is complicated enough,

No it isn't at all, you seem just not used to it enough.

[..]

> I have sshd set up with no root login and explicit list of user accounts
> allowed to login. I found out a year ago that after I installed an
> oracle db, it installed an oracle account. So when the infamous internet
> port scanners visited my machine, it found sshd and tried a couple of
> hundred different standard user account names, including the oracle
> account, with all the standard passwords. Fortunately none of the
> passwords they tried worked.

You just don't run an oracle db on a machine with open ssh to the
internet, you usually not even run such a beast inside some dmz,
it should be avoided.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 75: There isn't any problem