fred avolio's musings

An Institute for Applied Network Security member recently e-mailed and asked me:

What are the best practices for securing your Internet router and also securing your servers on a DMZ?

These are my suggestions:

1. Lock down administration of the router so that you can only administer it via SSH, and only from inside network.
2. Know what your servers do.
3. Based on #2, limit what kinds of packets can come from the Internet to your DMZ-based servers. E.g., e-mail servers should only receive e-mail-related packets (SMTP, TLS perhaps, POP3 if you allow retrievals from the Internet, etc.), web servers, web traffic (HTTP, SSL, TLS, etc.).
4. Limit what kinds of packets can come from the DMZ-based servers to the Internet. It’s a web server… it should not originate SMTP. It should not originate anything to the Internet. It should not have any TELNET packets coming out of it to the Internet, etc.
5. Configure your firewall to likewise be unforgiving about what comes out of the servers on the DMZ destined for the inside network.

Also, see my January 4, 2002 column Basic IP Router Security.

I’m thinking the folks in Redmond just never want to see the words “Microsoft server crash” and “causes 800-plane pile-up” in the same sentence. The word “nearly” helps, but not much. I read this in techworld.com, which was referred by slashdot.

We believe what we read on-line, even when we know it is false. Months ago, I blogged The Dilution of Truth on the Internet. I pointed out that people tend to trust what they read on a computer — sometimes without much thought. Today, I found that the problem goes deeper.

In reading the Slashdot RSS feed today, I read an entry entitled Human-Powered Spam Filtering. The article pointed to this brilliant web site. Read it. It is lovely. It is also a joke. No, I mean a real joke.

It is not so interesting that it is a well done spoof. What interests me is that even after someone pointed out that it was a joke, people just ignore that, and continued to ignore that fact. (I won’t spoil your fun. Read the web site.) Do we just not read? Or is the debate more important than the truth? As I write this there are 297 comments, posted.

I was going to end this with the line. “I think we’re all Bozos on this bus.” It is from “The Firesign Theater.” Or is it? I decided to ask the Internet. A search for “We are all bozos on this bus” turned up someone who claims it is from a “Cheech and Chong … record.” — search for that phrase and “chong” and you will turn up that erroneous reference. Checking www.firesigntheatre.com not only shows that indeed the quote is from them, but there is a picture of the album cover and an MP3 snippet with the phrase.

Nevertheless… sometimes I think we are.

The Institute for Applied Network Security posted a column I wrote. Find it at here. I based it on my March 2004 blog entry, Security Redux, in which I discussed the danger in rehashing the same old questions without remembering the same old answers.

I am an Institute faculty member and wrote about our regional forums in a November 2003 blog entry.

This generation is more “connected” than any other in our history. That statement deserves a “Well, duh!” Or at least a big, “Yes, so what’s your point?” I mean, it is obvious. But, I thought about this as we sent our 3rd child off to college.

First, mobile phone plans make it so easy to stay in touch by telephone. “Long distance” rates are meaningless to those who have a bunch of “anytime minutes” and “unlimited” long distance phoning at nights and on weekends. In addition to that is text messaging and phone-to-Internet e-mail.

Next, we have live Internet chat, complete with voice and video. It doesn’t replace an “in person” visit, but when I was in college (here it comes, reminiscences from an old guy), we didn’t have e-mail, except to others users … on the same mainframe. To connect with parents and friends we used postal mail and long distance phone calls, when we could afford them.

Another example… as I was writing this, a friend came on line. She’s a missionary in Africa. Postal mail works most of the time. But, message turn-around is slow. (Another friend is a missionary in Ukraine. Postal mail works half the time. It is not very efficient.) But, Internet with voice and video work just fine, and when it doesn’t work you immediately know about it.

A small world gets smaller.

“Firewall vendors such as Check Point Software Technologies and Juniper Netscreen are touting new application-layer filtering capabilities, and these are important advances.”

This was in an InfoWorld analysis by Roger A. Grimes, titled Security landscape shifts as technologies combine. The analysis may be terrific. I cannot get past this statement. The advances were new in 1992. Not today. And we continue to forget our history.

Tim Kramer commented: “This is a facet of the recurring argument: Layer 7 vs. Layer 3/4. Now they’ve added pseudo Layer 7 inspection to Layer 3/4 devices and they’re calling it “better”. The improvement is a few milliseconds in speed, the tradeoff is security as Layer 7 proxies are still better at limiting/logging content passed thru a firewall.” Thanks, Tim. I agree, of course.