On 02/14/2013 06:40 PM, Ryan Freeman wrote
On Thu, Feb 14, 2013 at 04:20:30PM -0700, Daniel Bertrand wrote:
Hello,
Thanks for providing such great software. It really is much appreciated.
I was wondering what your stance is about the constant hack attempts on
machines on our ISP networks..
I see CONSTANT scanning for ports from all over the world, mostly from Italy,
Russia, and China.
yeah i see this daily. doesn't matter, they never get anywhere.
Every firewall/router product that I have purchased has been compromised so far.
Is there really a secure, trustworthy adaptive filtering firewall configuration
for each OS configuration out there?
l
block all is the right place to start from
adaptive??? adapt to what??? if you can't define that,
the problem is undefined and impossible to solve.
then: what unsolicited incoming packets do you want?
for user systems, (especially u$soft ones) NONE.
for server systems, what services do you need to expose?
only the incoming ports associated with those services.
you should consider allowing ICMP echo (ping) and traceroute
(UDP) to your domain.xxx and/or www.domain.xxx addresses.
outgoing connections? from secure systems, allow all is
probably OK - though blocking packets to useless
"privileged" ports is probably a good idea.
there is very little you can do if a system inside your
firewall is infected. subnets can help you: for instance,
only allowing requests to port 80 from users will defeat
some portion of dangerous packets. any use of micro$oft
inside your firewall is very dangerous - that software
is, by architecture and design, impossible to make secure.
any system using u$soft software must be regarded as
insecure at all times. Programs like skype, etc. which
use proprietary packet formats are inherently security
failures.
The internet is an extremely hostile place.
"need to know" and "need to access" must be your rules.
block everything else.
geoff steckel
