[PLUG] VNC, SSH, and iptables [was: Transfering mozilla mail and newsgroup settings fromlinux to windows]

[James Devenish]

Hi,

I usually find it immature when people attempt to refute almost every
individual sentence in someone else's post, yet the opportunity seems
to have presented itself to me. But first: Bill, thanks for your
sincere comments.

Preface: I realise that having a firewall for a home network is useful,
as it allows you to have insecure sharing on individual computers while
maintaining a level of overall security (with regards to exposure of
services to the public Internet, that is). I accept this as a genuine
and undisputable application of "firewalling" because the firewall is
consciously established on a gateway device, rather than running as an
personal service on individual devices.

In message <1084106544.10156.20.camel at rattus.Localdomain>
on Sun, May 09, 2004 at 08:42:24PM +0800, William Kenworthy wrote:
> On Sun, 2004-05-09 at 19:53, James Devenish wrote:
> > I would be disturbed if Febora actually needed a firewall by default, as
> > operating systems with sane defaults don't need firewalls by default
> > (everyone probably disagrees with me, and I would be interested to know
> > the counterarguments, as 'personal firewalls' seem like some sort of fad
> > to me).
> If you can guarantee, perfectly that you or anyone else will never, ever
> misconfigure your system,

Like misconfiguring the firewall, perhaps? "Firewall" is a pretty loose
term, and refers to a variety of systems which have a nebulous range of
configurability. I think people get confused about what protection their
personal firewalls are or are not providing. Most users do not have the
expertise to understand the significance of all this, yet the imposition
of a firewall creates this additional layer of difficulty. As an
example: a lot of users will want to use chat programmes or streaming
media applications that require "ports to be open" (if I can be so loose
in my terminology). This means either forcing users to configure their
firewalls themselves, or consent to autonomic/template-based changes, or
apply some security-defeating strategy like "allow all connections that
are initiated from inside the firewall". With regards to the autonomic
changes, the people who most need the automatic protection are probably
the sort of people who'll also say "yes, yes, do whatever you want, just
let me chat". That is, they trust their software vendor to configure
their firewall properly. Yet, it would seem to be the lack of vendor
trustworthiness that leads to the perceived need for firewalls in the
first place.

I realise, however, that content-inspection firewalls can lead to
convenience (e.g. getting rid of spam and e-mail worms, getting rid
of pesky web ads, etc., but those are luxury features quite beside
from the concept of "closing all unused ports").

> never use xhost+ when fault finding,

I fail to see why you would consider it superior to have people
disabling both xhost control /and/ their firewall compared to
merely disabling xhost control.

> never install a webserver (I am thinking of zope, cups,

There should not be any problem installing these programmes. A problem
/might/ arise if these apps have security flaws and are exposed to the
Internet, but content-inspecting stateful firewalls are themselves
susceptible to these flaws. In the case of zope, you might want either
to expose it to the Internet or to other computers on your local
network. In the former case, you are not protected against protocol
flaws and in the latter case, you would need to configure your firewall
in an expert manner. Needing to set up your firewall in an expert manner
is rational in itself, but does not justify to me why you'd have a
personal firewall enabled by default.

About the only worthwhile excuse for a personal firewall that springs to
my mind is to protect against programming errors in file sharing
services. I guess that you feel this is a sufficient reason for the
universal application of blanket firewalls, whereas I currently refuse
to accept that it is sufficient.

> never use a browser (i.e., the recent posts about wine running a doze
> trojan),

A packet filter does not protect your web browser, and even a
content-inspecting firewall cannot protect against malicious
scripts or encrypted payloads. Client-side access control can
assist, but that's physically beyond the scope of a "firewall".

> then you may possibly temporally make do without a firewall - but
> please think of fellow web users and treat the machine as unclean, and
> untrusted. - for example would you trust your internet banking to this
> machine knowing that it could be open?

I fail to see any relevance of a firewall for a machine on which you are
doing Internet banking. If the machine is known to be trustworthy
without the firewall, the firewall is superfluous (all machines on which
I do Internet banking fall into this category). If, on the other hand,
the machine is not known to be trustworthy, then I fail to see how a
firewall would enhance its standing.

> A firewall isnt perfect, and neither is any other method short of
> pulling the network cable and never attaching it again - do the sums and
> you will find a firewall is a small investment in time (and zero dollars
> in the case of linux) with a possibly huge benefit - treat it like
> insurance - one day you may be glad that you have it, and in all
> likelyhood you may never notice the protection that it has given you.

As an administrator of server machines, this is unfortunately not the
case for me. Services are exposed to the public by their intrinsic
nature, so no firewall can protect them (hello SSH, hello Apache).
While firewalls are useful to me, and are installed and active, that
specifically relates to "VPN" techniques (yet another loose term).

> It is also worth mentioning the logging capabilities of a firewall which
> is a powerful tool for security and monitoring as well.

Okay, I agree with you on that one (although, on the flip side, it's
also a way to cause a denial-of-service situation that works against
yourself, albeit marginal).