Linux in Government: Optimizing Desktop Performance, Part III | Linux Journal

Tom Adelstein adelste at yahoo.com
Tue May 31 22:17:45 UTC 2005


On Tue, 2005-05-31 at 22:49 +0100, Tony Arnold wrote:
> Tom,
> 
> On Tue, 2005-05-31 at 14:19 -0500, Tom Adelstein wrote:
> 

> > If a user lives behind a well constructed firewall, would you feel
> > satisfied if they didn't have a personal firewall?
> 
> It depends what else is behind the firewall!
> 
> In my environment, a large University, we have a firewall at the network
> perimeter, but I still recommend use of a personal firewall on desktop
> systems throughout the campus. This is because of mobile computing.
> Users bring their laptops in and out of the firewall; they connect into
> our network over dial-up lines from unsecured home PCs (a commercial
> organisation would probably be more strict about this, but we are a
> University!); viruses can get in via e-mail, or WEB downloads, so
> desktops need to be protected at the desktop as best they can be. I'm
> also currently advocating use of intrusion protection systems for
> Windows based systems.

I agree absolutely. In fact, even behind my firewall I install ZoneAlarm
which people can download for free - at least a free version exists. 

http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za


Then I test them by going to Shields UP!
https://www.grc.com/x/ne.dll?bh0bkyd2 . I removed the Windows firewall
from an unit running XP SP 2 and installed the free version of ZoneAlam
because I think it does a better job. 

In your environment, I'd run Linux personal firewalls because you don't
know who people are and you have so many opportunity for people to
explore exploits. 


> 
> Our firewall allows ssh connections in. Some of our break-ins have been
> user name compromises on *nix boxes. Often it is default passwords for
> standard accounts or just easily guessed passwords. Again, once in
> behind the firewall, you need another level of protection.

Indeed. Joe passwords, crack, and forwarding private keys can reak havoc
eh.







More information about the ubuntu-users mailing list