From: Anssi Hannula <anssi.hannula@gmail.com>
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target
Date: Thu, 27 Jul 2006 22:46:15 +0300 [thread overview]
Message-ID: <44C91807.6030500@gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0607271507410.16694@darkstar.sysinfo.com>
R. DuFresne wrote:
> On Wed, 26 Jul 2006, Anssi Hannula wrote:
>
>>> Sietse van Zanen wrote:
>>>
>>>> The important issue you have is not WHAT somebody can hack. It's what
>>>> somebody can DO and ACCESS, WHEN you've been hacked.
>>>>
>>>> If somebody does manage to take over one of your systems, he most
>>>> certainly gains access to ALL to systems on the same physical
>>>> (sub)network. As ALL your systems are on the same net, draw the
>>>> conclusion.
>>>>
>>>> Combine that conclusion with the innate vulnerability of WiFi
>>>> networks and do the math. It's unwise to use your set up. period.
>>>> It's not for nothing that reccomendations always talk about shielding
>>>> your WiFi with a firewall. Now for personal use, it might be
>>>> acceptable to do otherwise, but that's up to you, as always the
>>>> choice is between security and convenience.
>>>
>>>
>>> Thanks for your reply. Unfortunately, you do not seem to offer any
>>> alternative to my current setup.
>
> Actually he did offer an alternative, though you had to read carefully
> his answer; go with a wired set of networks, both distinct from one
> another.
Well, I can't go with wired network, especially with the laptop. I
consider WLAN with a proper WPA encryption to be sufficiently secure for
my purposes.
> Firewall those networks, adding further isolation from eachother and
> from the publc internet at large.
But if these are two distinct networks (the first one being connected to
internet and the workstations, the second one connected to workstations
only), what do you mean by "firewalling" them?
There cannot be any blocking of traffic on the first network, as the
whole purpose of the network is to allow connections from the internet.
The second network contains only internal traffic, and blocking any of
that would result in trouble only.
People, thanks for your concern over my network security, but I don't
really think I can achieve much better security by rewiring my network
differently. The biggest security problem I have is the possibility of
vulnerabilities in the server software, and if such a vulnerability gets
exploited, no firewall will help me then. I have to just make sure that
doesn't happen.
--
Anssi Hannula
prev parent reply other threads:[~2006-07-27 19:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-24 9:17 Messages in log with SNAT target Anssi Hannula
2006-07-24 10:15 ` Sietse van Zanen
2006-07-24 10:24 ` Pascal Hambourg
2006-07-24 10:49 ` Sietse van Zanen
2006-07-25 13:21 ` Pascal Hambourg
2006-07-25 13:37 ` Sietse van Zanen
2006-07-24 11:03 ` Anssi Hannula
2006-07-24 11:33 ` Sietse van Zanen
2006-07-24 12:01 ` Anssi Hannula
2006-07-24 12:39 ` Sietse van Zanen
2006-07-24 12:55 ` Anssi Hannula
2006-07-26 0:40 ` R. DuFresne
2006-07-26 8:16 ` Anssi Hannula
2006-07-26 9:17 ` Sietse van Zanen
2006-07-26 11:21 ` Anssi Hannula
2006-07-26 11:22 ` Sietse van Zanen
2006-07-26 11:54 ` Anssi Hannula
2006-07-27 19:09 ` R. DuFresne
2006-07-27 19:46 ` Anssi Hannula [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44C91807.6030500@gmail.com \
--to=anssi.hannula@gmail.com \
--cc=dufresne@sysinfo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox