Linked by Thom Holwerda on Thu 5th May 2011 21:07 UTC, submitted by sawboss
Games There's fail, there's epic fail, and then there's Sony. You may've thought it wasn't possible, but Sony has just outdone itself on the fail scale, forcing us to add yet another notch. During the congressional testimony this morning, Dr Gene Spafford of Purdue University revealed just how badly Sony managed its Playstation Network servers. It's... Bad.
Permalink for comment 472037
To read all comments associated with this story, please click here.
RE: Firewalls - improvement
by jabbotts on Fri 6th May 2011 14:22 UTC in reply to "Firewalls"
jabbotts
Member since:
2007-09-06

Considering the firewall in the general sense of network filtering on the server or infront of it on a seporate box; to access my httpd or sshd, you have to be coming from a valid remote location explicitly allowed in the firewall rules. This makes my machine more secure than one which accepts potential attack from any remote location in addition to valid ones.

Deny all, allow the minimum required.

We can also look at application level "firewalls" in the form of mod-security for apache. This sits between your webserver/website and the remote connection filtering out attempts to exploit flaws in your httpd or website code. Sony can afford to hire an admin to manage mod-security.

We could also seporate the database and web servers and have the database server only allow connections from the webserver. One must now break into the webserver before being able to start breaking into the database server. Should the first one be breached, what allowed a criminal to access the webserver's command line is not likely to be present on the database server. Monitoring of the webserver should make the breach evident; hopefully before the database server breach can be successful.

Reply Parent Score: 2