2013/3/10 Neal Murphy <neal.p.murphy@xxxxxxxxxxxx>: > I humbly disagree. Any server exposed to the internet should be configured to > limit inbound and outbound access to exactly that which is needed for it to > operate. For example, an simple web server should allow only new incoming > conns to ports HTTP and HTTPS from internet; they should block new outgoing > conns (since a simple web server only serves data over existing conns). > Management ports, like ssh, should be limited to the least reasonable set of > addresses expected. Periodic audits should show if these limits have been > altered. The server is its own first line of defense. The nearest firewall is > the second line of defense. The perimeter firewall is the last line of > defense. Ok, it's a different approach than I usually take. IMHO, the first level of security is a firewall and the second a IPS - so, I can reduce the load processed by IPS (which makes analysis at a high level - we are working with HP TippingPoint IPS). Servers are entities that need protecting. We have more than 300 servers. In my opinion, it would be impractical to manage otherwise. The firewall rules can't protect a web server of an exploit, but a IPS can. It is quite likely that the firewall rules on the server does not make much difference if the service is compromised. But it's only my opinion. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
