Ed Greshko wrote: > If the system brings up the network interfaces, but no services that > utilize the network, prior to bringing up the firewall what > vulnerability is the system exposed to...and for how long? There is a point of view that says it is a security problem to allow a system to respond to pings. I do not agree with this (at least for normal networks), but it appears to be popular among sellers of Windows “personal” firewalls (i.e. those that protect only the system on which they run). The logic is that by responding to an attacker’s ping, you have confirmed that there is a system there. You may also have given the attacker some information about the sort of system you run. The attacker can then carry out a much longer stealthy probe against all ports on your machine to find out which services are available. Later, when a vulnerability emerges, the attacker has a list of potential targets. Now if you’re designing a firewall for someone like Apple or the Ministry of Defence, and you have a whole 16 million IP addresses to play with, most of which won’t have any servers running at all, this might actually be a useful tactic. For the rest of us, attackers can use a much simpler heuristic. “Doesn’t matter if the system responds to pings – if it’s an IP address, it will probably have a computer behind it and is worth scanning.” James. -- E-mail: james@ | Remember, half-measures can be very effective if all you aprilcottage.co.uk | deal with are half-wits. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
