[lug] Firewall != Linux, Was -> Broadband

Chris M chrism at peakpeak.com
Tue Aug 1 14:44:04 MDT 2000 

> From: rm at mamma.varadinet.de
> Reply-To: lug at lug.boulder.co.us
> Date: Tue, 1 Aug 2000 21:20:56 +0200
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Firewall != Linux, Was -> Broadband
> 
> On Tue, Aug 01, 2000 at 07:28:31AM -0600, Chris M wrote:
>> Not to mention, Linux is not a firewall.  Linux is Linux, complete
>> with thousands of people scouring source code looking for security
>> holes so they can hack your box, attack NASA, and Men in Black will
>> show up at your door.
>> 
>> True story.
> 
> only if the person who set up the firewall wasn't competent.

Bunk.

I've seen plenty of cracked Linux boxes at the sites of people who should
know better. People I might even hire someday.

> BTW, having the source code isn't really a valid argument against
> Linux _based_ firewalls. It works in both directions: yes, crackers
> can scan for problematic spots, but so can all the Linux programers.
>> From a statistical point of view this definitely makes Linux more
> secure. 

More secure than what?  Than a commercial firewall that has no publicly
available source code to find exploits in?  Try again.

> If you don't belive me, look at the average bugfix time
> for Linux kernel security bugs and for kernel security bugs on firewalls.

Look at the number of known exploits for Linux, and compare it to a Cisco
PIX. Really, write the numbers down on paper.

There, we're done.

> 
>> If you aren't running a "real" firewall (and we could debate ad
>> infinitum how real Linksys is) then you are probably exposed.
>> Period.  We recommend an external appliance, maybe the Linksys fits
>> your requirements, maybe Watchguard or Sonicwall does.
> 
> 
>>> [...]
>> You could go for another 15 minutes and people will still think that
>> their Linux box is a great firewall and how could they possibly be a
>> victim.
> 
> This really depends on who set up the box. Chances are high that
> whoever sets up a private security gateway isn't as experienced
> as someone who works for watchguard etc.

Chances?  Chances?  Who wants to be taking *chances* where security is
concerned? *Especially* high ones. :)

> 
>> *None* of our customers running a commercial firewall have been
>> hacked.  Plenty of Linux customers have.
> 
> Hmmm, that doesn't prove anything. In my experience the people
> who are willing to spend a lot of money on a 'real' firewall
> have a reason for doing so. Therefore their whole attitude towards
> security is different. Comparing the final result (been hacked vs.
> not hacked) and claiming the difference on the teeny piece of hard-
> ware inbetween the external and the internal net is a gros over-
> simplification. 

No, it's real empirical data.  Not a gross economic projection in an attempt
to disprove real empirical data with mere sociological/cultural hand waving.

> A firewall is an important part of an overall
> security concept, but only a complex system of hardware, software,
> constant monitoring and training of everone working with the net
> will make a site secure. Most incidents i have heard of recently
> where caused by malicious code executed on a client from within
> the private net--something even the best firewall can't stop.
> 
> Ralf

You can tell you aren't a service provider, and that you spend more time
maintaining your own LAN than other people's.  You're missing that whole
real world piece of the pie.

Without a firewall, it really doesn't matter what else you do, you've left
the door open.  It's like the lottery, your chances to win increase an
infinite amount when you buy one lottery ticket instead of zero.

Chris

More information about the LUG mailing list