On 12/06/2012 11:13 AM, Reindl Harald wrote:
>
> Am 06.12.2012 17:10, schrieb Robert Moskowitz:
>> On 12/06/2012 10:41 AM, Les Mikesell wrote:
>>> On Thu, Dec 6, 2012 at 9:13 AM, <m.roth@xxxxxxxxx> wrote:
>>>> Disabling selinux, or at least setting it to permissive, I agree with.
>>>> Turning down your firewall?! Anyone suggesting that is, IMO, either a)
>>>> clueless, or b) a malware user/vendor trying to make life easier. Can
>>>> anyone think of any other possibilities?
>>> Someone with good site and subnet-level hardware firewalling. And a
>>> good feeling that all the bad guys are on the other side of the
>>> firewalls.
>> Which I have. A Juniper branch firewall that I was given for testing
>> purposes. And I am subnetted up the gazoo; I have a 64 address CIDR
>> allocation that I have subnetted to /29s and /28s. I also use RFC1918
>> extensively. Afterall, I am one of its authors :)
> but you did not understand "feeling that all the bad guys are on the other
> side of the firewalls" - these days believe their will never be attacks
> from infected machines and such crap from INSINDE the network is naive
>
Actually I do, as I work in this area. Granted my job is secure
communications, not secure OS/apps, but I work with the team that does
deal with this.
It goes back to my good friend Steve Bellovin where in his firewall book
he called the firewall the crunchy outside and the corp net the chewy
inside. He later was a strong advocate for per system firewalling; what
we have today. When we keep it on, that is.
Also why I want to get my DNS server off of the old Centos to current
and my Samba and Mail servers also to current.
Past due.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
