On Tue, Aug 27, 2019 at 06:58:06AM -0700, John Harris wrote:
On Tuesday, August 27, 2019 4:37:24 AM MST David Kaufmann wrote:
> Both option have their disadvantages - in the case of "maintainer opens
> ports" the ports are open as soon as the package gets installed, and
> software not run/installed via package manager will give the impression
> of "just not working".
Why in the world would somebody from the security team recommend opening a
port on the firewall as the software is installed, before it's even
configured?
I'm not trying to recommend it, this is already done, e.g. for mdns,
samba-client, or ssh. (To be fair that happens on os install, not
necessarily on package install)
I'm trying to list the problems with those options.
> Also a firewall is not that much protection as it looks like -
imagine
> any port (above 1024) which was opened on the firewall (either by
> maintainer or user), but where no program is listening on. The
> additional barrier to run e.g. a c&c server on that machine would just
> be an additional portscan in before deploying the malware.
Just running a firewall reduces the attack vector needed to deploy potential
malware to begin with.
Very true. Unfortunately it is usually done to shield services which
should not be there in the first place.
Also stuff like rate-limiting or ip-header-checks are usually done by
firewalls, hence my emphasis on making sure users don't start to disable
the whole firewall because it is "easier".
~ David