Host-based firewalls are an important component in the security practitioners tool chain. Layering security mechanisms for a defense-in-depth stance provides redundancy to protect valuable assets. As I was reminded the other day, threat vectors connect threats to vulnerabilities, but ultimately exploiting a vulnerability is about access to, or destruction of an asset. Patching for known vulnerabilities is part of the constant vigilance required, but unknown vulnerabilities still remain. When one up-stream security mechanism fails, or is bypassed by some means, another should still remain behind it so that reaching the asset is more difficult than defeating a single security mechanism.

Of course, no network-based security measure protects assets behind application software — but this is another topic, for another day.  Firewalls limit the attack surface to specific services and applications and may also help prevent some kinds of abuses.

The Linux host-based firewall, iptables, has a wealth of modules for various purposes. One particularly useful one is the limits module. Let’s explore how this can be used to protect against some basic attacks. (more…)