[lug] Firewall what a flare of experience

Chris M chrism at peakpeak.com
Tue Aug 1 14:53:15 MDT 2000 

> Here is some food for thought:
> Most of the commercial firewall appliances are based on BSD or Linux.  I spoke
> with several vendors and this much seems to be fact.

Like which ones?  Be specific.  Show your work.

> BUT:
> Those vendors are expert in security and they will supplement the OS they
> chose with proprietary code to make their product as watertight as they can.
> For basic firewalling needs Linux can do a good job as long as the
> administrator who configures the firewall knows what she/he is doing.  And
> THIS IS THE SORE POINT - many Linux firewalls are set up by folks who aren't
> specifically trained in network security.

That is not necessarily true.  Many are set up by top-flight people.

> If you hire a security expert to
> configure your Linux firewall then it will be strong.  It will have scritps
> that check logs and alarm you about intrusion attempts (without too many false
> alarms).  But for that amount of money you could also look into a commercial
> firewall, especially since port forwarding is still experimental in Linux
> (very useful for DMZs = De-Militarized Zones).
> 
> AND THE TRUE RISK:
> Your employees behind the firewall.

Forget them, the discussion is about firewalls.  You can't keep people from
running with scissors.  You tell them not to do it is all.  Then hide all
the scissors and make it known what happens when they are caught, put
filters everywhere, etc.

> There are plenty of VBA (Visual Basic for
> Applications) scripts that can embed themselves during regular browsing.
> These scripts do all kinds of little tricks and they have the same kind of
> access as the user who infected his (mostly) Internet Explorer.  The only
> script I have encountered so far collected information about user's browsing
> habits and then tried to upload that info to a main web site.  Very benign -
> and detected through a proxy server (the script attempted to upload its info
> without a password enough times to trigger network security).  Much worse
> things could have happened here!

Many firewalls make an attempt to filter these now.  Linux does not
presently.

> ADVICE:  Disable VBA, only run the latest Java VM, you may even look into
> running a browser with less functionality.  I am daring enough to run Netscape
> but I don't run IE or Outlook Express for e-mail.

Note that these are problems on the most heavily traveled platforms.  And
you can force this with SMS can't you?

> 
> CONCLUSION:
> If you really want to be safe buy some consulting time from an established
> network security expert (there are some on this list and I am NOT one of
> them).  They can tell you what to buy and they can also point out security
> risks that you may not even think of.

And you will get all this when you buy a commercial firewall from a
reputable integrator.

Chris

> Buy insurance if your life depends on the safety of your network because all
> humans make mistakes and eWeek's OpenHack proved that once again (they used
> the best of the best in equipment and made only one little mistake).
> 
> Ferdinand

More information about the LUG mailing list