[LUNI] Making a private network somewhat public.

Martin Maney maney at two14.net
Wed Dec 12 11:45:44 CST 2007 

On Wed, Dec 12, 2007 at 09:54:05AM -0600, Richard Reina wrote:
> Newer Linksys router 80%

If it's only connected to a secured Linux server: 0%

(depending on the model, possibly *is* a secured (we hope) Linux server...)

> Secure SMTP gateway running  a striped down OS strict IP tables 15%

This is a form of application-level gateway.  I'm not sure it buys you
anything at all unless you don't trust the hosts you'll be sending mail
to not to attempt to exploit a hypothetical vulnerability in the
sending machine's MTA.  In the general case that might be worth
worrying about (at a near-clinical level of paranoia, anyway, unless
you use a flakey SMTP server), but IIRC you only need to send the mail
to one or a few destinations, so it seems more likely they can be
trusted that far.

> Keeping distros up to date on all the networks backen machines 3%

s/backen//  99%

(assumption: the distro doesn't run a bunch of dodgy services by
default, or you've disabled them; likewise that you don't have special
needs that call for running vulnerable services.  That last might not
be true...)

> Running IP tables on all the networks machines 2%

Depends on what there is there to be blocked.  iptables adds nothing to
a machine that's running no externally accesible services.  Local
exploits it might block from reaching out, but given that level of
compromise why would you expect that iptables itself couldn't be
subverted?  Wishful thinking unless you can know that your threat comes
only from incompetents... which could be true.

> These are only examples, I know little about security.  It would be great to
> get input, so to "attempt" to quantify how much the above measures matter
> and what difference additional measures might make.

Keep in mind that I'm making these numbers up as I go along, just like
all the others we've seen here.  And that security isn't something that
comes in packets labeled in percentages anyway...

I will give you one totally reliable statistic: adding an internet
connection, however firewalled and isolated, increases your
vulnerability to remote attacks infinitely.  Unless you're already
using wifi, the great open door of networking.

-- 
The most common implementation of SMTP is contained in sendmail.
This program is included free in most UNIX software distributions,
but you get less than you pay for.  -- Cheswick, Bellovin & Rubin

More information about the luni mailing list