Алтернативи на защитната стена
Alexander Sverdlov
Анализатор по сигурността
Комерсиалните защитни стени имат недостатък – that is, it is never known if the vendor has introduced (willingly or unwillingly) a backdoor or intentional security weakness to allow access for unknown parties.
Като цяло е добро правило да запомните, че ако е известно, че доставчик е използвал задна вратичка веднъж, той ще постави задна вратичка и втори път – just trying to hide it better the next time.
That is why for smaller organizations it is a good idea to evaluate other options, such as PfSense or OpnSense - https://www.pfsense.org/ and https://opnsense.org/. Another vendor, who also offers commercial versions and support, is https://www.untangle.com
Логично е, че за големи организации малката защитна стена с отворен код просто няма да е достатъчна – or at least not as their main firewall. But for small environments the aforementioned are more than enough.
Port Knocking (Почукване на портове) – NSA is using this for the past 10 years, are you?
Концепцията за port knocking е: защитната стена представя всички портове като затворени, unless a specific port sequence is ‘knocked’ with a special packet.
For example, if you want to keep port 22 for remote administration purposes, but want to close it for everyone but a list of authorized people/devices, you could set the firewall up in such a way that if your authorized person sends a specially crafted packet to ports 1888, 25678 and 3456, their IP address is temporarily whitelisted and can open a connection to port 22.
NSA has been known to use port knocking for all remote access connections for many years – even for access to their internal systems, not just remote administration and / or VPN.
A good tutorial on setting up port knocking on open source operating systems can be found at DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-use-port-knocking-to-hide-your-ssh-daemon-from-attackers-on-ubuntu
Попитайте доставчика на вашето устройство за защитна стена дали поддържа port knocking. If not, you can certainly place an open source screen in front of your appliance anyway, just for that purpose.
Александър Свердлов
Основател на Atlant Security. Автор на 2 книги за информационна сигурност, лектор по киберсигурност на най-големите конференции по киберсигурност в Азия и панелист на конференция на ООН. Бивш член на екипа за консултации по сигурността на Microsoft, външен консултант по киберсигурност в Емиратската корпорация за ядрена енергия.