SLUG Mailing List Archives
Re: [SLUG] advice on security compliance
- Subject: Re: [SLUG] advice on security compliance
- From: Daniel Bush <dlb.id.au@xxxxxxxxx>
- Date: Mon, 2 Nov 2009 18:04:27 +1100
- Cc: slug <slug@xxxxxxxxxxx>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:cc:content-type; bh=nKzuJdvlAHYJYPUDjE2tkl8p0wYq0u8xh4lBbCJVSRg=; b=SZYlRWO7/YOd6fvrHCxVFw4WIPQKCFJkfNvWTgs1IWZLgzf9EXCMFWSR9wfGMN5dV7 UZgqyr01Z/kEBZh0u9ZYictGrqaWp5FvAinvtawm5DBgzRPdAvUr96z0cbJmUGcltQD/ u/YIk1RxCt0k+8wFTBrDQ2Q6tGL9AFEAcUcuw=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; b=bDB4r48C/BlBuBn2OKWLZwpVcmMU3l0M2tTQKfR79wpM+mav9YrkkQmXz3GVpa1o3u v82jhfXzzYRkp9lPDIDDkKRbr3rc0x0U6h7KDNnR45zJrFYOM4nchy3x5KeypIpaD4rX sP/F1oiYWXew2eX9JWBb7IYlPrnfTEF+gdhYs=
2009/11/2 Robert Collins <robertc@xxxxxxxxxxxxxxxxx>
> On Mon, 2009-11-02 at 16:28 +1100, Daniel Bush wrote:
> > I was following Rick's recent post about penetration testing with some
> > interest. I'm looking at complying with anz e-gate for e-commerce
> > transactions. ANZ has this declaration form for internet sites that you
> > have to sign. One of the tick boxes says "Do you operate a firewall that
> > regularly updated?"
> > I have an iptables firewall which basically blocks all ip6 and all ip4
> > except for a couple of ports I expose to the internet. I don't see why I
> > need to update it "regularly".
> Two primary reasons:
> - iptables is not bug free. Few and far between, but not empty-of-bugs.
I mean updating the rules you use to filter packets not maintaining the
software that does the filtering. Is that what you mean here? Maybe that's
what this tick box means. I didn't think of that. I just assumed they're
were talking about the filtering rules...
> - ip4 and ip6 are not 'finished'. Every now and then a new RFC or even
> std is released, and you need to update your firewall and routing rules
> accordingly. (e.g. the nonroutable address space changes over time, so
> you need to update your rules accordingly).
Must still be missing something here Rob. I just block everything except
for the services I run on the public interface (and stuff on the internal
loopback interface / localhost). Why do I need to worry about
> Even if those two points didn't matter, if you admin the firewall using
> ssh, and sshd has a bug permitting remote compromise, you'd be remiss
> not to update that.
I think this is a software update issue. As before I'm wondering if that is
what the tick box meant. What confuses me is that I would have that as a
separate tick box in itself, something like "do you regularly patch/maintain
security updates for your software, especially firewall and related security
systems?" That is not the issue I thought the tick box was addressing.
I may be reading you all wrong here though :(
> So, its an important checkbox, and if you're not maintaining your
> firewall, don't tick it! (Worse still, if you think deny-all + a couple
> of permits == correctly setup firewall - you need about 15 rules I
> think, for a _minimally_ conformant firewall [that is, not in violation
> of parts of the IP stack]).
Ok, now you're worrying me. For a simple set up where you have an isolated
box running a webserver and ssh: I have a default drop policy on all tables;
a catch-all drop rule that logs certain things; I have some stateful rules
so that I can talk to the outside world and several open ports on specified
interface for tcp protocol where I am exposing services to the outside
If the default is to drop everything except a specific set of ports on a
specific interface using a specific transport why do I have to twiddle with
Surely the only area of concern is the established/related stateful rules
Is that what you mean? Are you reviewing the stateful part of your packet
filtering firewall every week because you're worried it could get spoofed or
something? If so, what is your strategy here and does it result in some
sort of regular update?
Or do you have default policy of accept which means you have to worry about
closing stuff down all the time? I've always assumed drop so I don't even
want to begin to think about the alternative.
> Keeping on top of the whole mess is what is
> implied by 'regularly updated', not turning on some vendor software-sync
> button and forgetting about it.
hm; as per my above comments. I'm pretty paranoid about my firewall.