[lug] Firewall != Linux, Was -> Broadband

[Chris M]

> 
>> 
>> Bunk.
>> 
>> I've seen plenty of cracked Linux boxes at the sites of people who should
>> know better. People I might even hire someday.
> 
> And why was that so? Because of a glitch/bug in the Linux code?

A security hole.  wu-ftpd, sendmail, etc.  A modem connected to the computer
in one case. Or a simple DoS, any number of things.  I mean the sky is truly
the limit with so many knobs to turn and lock down.

> Or because of wrong/stupid firewall rules? As i said, security
> is a complicated mixture of hard/software and rules how to behave.
> I _have_ spent quite a lot of time talking to customers about security
> during the last year (developing a (linux based) gateway).

Ah so, you have a vested interest in Linux as a firewall.  That sort of
disqualifies you don't you think? :)  If Linux worked great as a firewall
and I was sure I wouldn't get calls in the middle of the night, I'd install
them.

> Most (if not
> all) customers had a rather naive concept of network security. The
> general idea was "let's buy some hardware that'll solve this problem"
> instead of "let's think for a moment where our vulnerabilities are ".
> A Linux box just won't do it (but i doubt a CISCO/Watchguard/UnameIt
> will do either).

A Cisco will beat a Linux firewall for all around security any day.  I don't
say this with any joy, I hate Cisco.

> 
>> 
>>> BTW, having the source code isn't really a valid argument against
>>> Linux _based_ firewalls. It works in both directions: yes, crackers
>>> can scan for problematic spots, but so can all the Linux programers.
>>>> From a statistical point of view this definitely makes Linux more
>>> secure. 
>> 
>> More secure than what?  Than a commercial firewall that has no publicly
>> available source code to find exploits in?  Try again.
> 
> I consider this a myth. First of all, as was allready said on this
> list, most of todays firewall are based on readily available source
> code. 

"Some" of today's firewalls, not most. Just because I can get the same gas
as A.J. Foyt doesn't mean I'm going to drive like he does.

>Second, and more important, the availability of source code
> might make things harder but not too much. Quite a lot of the firewalls
> i'Ve seen open are Intel-based, and nothing hinders a dedicated person
> to fire up his/her disassembler and look at the code. Finding a possible
> buffer overflow isn't really _that_ hard (actually, it's sometimes
> more easy ;-)

Let's assume that is true.  So then, point to a published account of a crack
where this was true.  FBI?  NYT?  Come on, you do have an example don't you?

> 
> 
>>> If you don't belive me, look at the average bugfix time
>>> for Linux kernel security bugs and for kernel security bugs on firewalls.
>> 
>> Look at the number of known exploits for Linux, and compare it to a Cisco
> ^^^^^
>> PIX. Really, write the numbers down on paper.
> 
> 
> Exploits for Linux systems are known early and are published even by
> the developing comunity. This is not the case with commercial products.
> The fact that CISCO doesn't run arround telling you about expoits doesn't
> mean that there aren't any (i have worked enough with 'the guys from
> marketing' ...).

They do tell you.  If you have a support contract. Get out your checkbook.

> Also, don't forget that it might be more likely that a Linux
> user will at some point find out about a hacker ('why the heck is
> my network load so high?')  while on a hacked proprietary box nobody
> will realize it.

"might"

> 
>> There, we're done.
>> 
>>> 
>>>> If you aren't running a "real" firewall (and we could debate ad
>>>> infinitum how real Linksys is) then you are probably exposed.
>>>> Period.  We recommend an external appliance, maybe the Linksys fits
>>>> your requirements, maybe Watchguard or Sonicwall does.
>>> 
>>> 
>>>>> [...]
>>>> You could go for another 15 minutes and people will still think that
>>>> their Linux box is a great firewall and how could they possibly be a
>>>> victim.
>>> 
>>> This really depends on who set up the box. Chances are high that
>>> whoever sets up a private security gateway isn't as experienced
>>> as someone who works for watchguard etc.
>> 
>> Chances?  Chances?  Who wants to be taking *chances* where security is
>> concerned? *Especially* high ones. :)
> 
> I never suggested that. I just think you blame breakins on Linux where
> i would blame it on the ignorance or unability to juge their network
> security understanding of the local sysadmin.

So let's admit Linux isn't as good as a commercial firewall then, because
the incidence of trouble (where trouble == firewall compromise) is far lower
for commercial products since they do eliminate a large component of
failure: human judgment and training.


>>>> *None* of our customers running a commercial firewall have been
>>>> hacked.  Plenty of Linux customers have.
>>> 
>>> Hmmm, that doesn't prove anything. In my experience the people
>>> who are willing to spend a lot of money on a 'real' firewall
>>> have a reason for doing so. Therefore their whole attitude towards
>>> security is different. Comparing the final result (been hacked vs.
>>> not hacked) and claiming the difference on the teeny piece of hard-
>>> ware inbetween the external and the internal net is a gros over-
>>> simplification.
>> 
>> No, it's real empirical data.  Not a gross economic projection in an attempt
>> to disprove real empirical data with mere sociological/cultural hand waving.
> 
> So you are saying that you have customers who spent a significant
> amount of money (you get quite a lot of consulting for the price
> of a firewall-1 ...) for a Linux firewall and still where hacked?
> That _is_ interessting. What sort of exploits did they experience?

That's what I'm saying.  You've never seen people write checks so fast in
their life.

>>> A firewall is an important part of an overall
>>> security concept, but only a complex system of hardware, software,
>>> constant monitoring and training of everone working with the net
>>> will make a site secure. Most incidents i have heard of recently
>>> where caused by malicious code executed on a client from within
>>> the private net--something even the best firewall can't stop.
>>> 
>>> Ralf
>> 
>> You can tell you aren't a service provider, and that you spend more time
>> maintaining your own LAN than other people's.  You're missing that whole
>> real world piece of the pie.
> 
> Hmm, quite a lot of my boxes are out in the real world, doing their job.
> I would claim that they can substitute for a 'real' firewall, but i
> think they give the 'normal' user quite some security. I see the difference
> more in the customizability (is this a word?). One way i try to make our
> boxes secure is by keeping the customer from doing all sorts of 'silly'
> things (the fact that someting is possible with Linux doesn't mean that
> it's a particullary good idea). So there is no port forwarding, icmp
> masquerading, NetMeeting support etc.
> But, again, i don't think that this alone makes a net secure. I had
> long phone converstions with customers who wanted our box to agressively
> scan and modify incomming email so to stop workers of sending themself (!)
> programs from the internet--after a while it turned out that every single
> user was running an unrestricted web browser .... Those aren't firewall
> (or OS) problems, this is just the lack of knowloege on the admin side
> (and this is something i really blame Microsoft for: everything is point-
> and-click so everyone with some mouse experience considers him/herself
> an expert).

That's another thread.  It is a big problem though.  We're discussing Linux
as a firewall here, not sociological IT problems, the Peter Principle, or
none o that.

>> Without a firewall, it really doesn't matter what else you do, you've left
>> the door open.  It's like the lottery, your chances to win increase an
>> infinite amount when you buy one lottery ticket instead of zero.
> 
> Oh, i agree on that! But that wasn't the discusion, or? This was
> Linux vs. proprietary systems.
> 

Yes, but I say, should we revert to the discussion of communism?  Actually,
this talk of Marx and that ilk is irrelevant, communism was invented by the
Chinese.  Interesting that they are the only ones really still practicing it
anywhere near the ideal so well still today.

Chris