[lug] Firewall != Linux, Was -> Broadband

Nate Duehr nate at natetech.com
Wed Aug 2 11:38:02 MDT 2000 

On Tue, Aug 01, 2000 at 02:44:04PM -0600, Chris M wrote:

> More secure than what?  Than a commercial firewall that has no publicly
> available source code to find exploits in?  Try again.

Bunk.  Exploits don't require source code.  Seen the DoS stuff for
Firewall-1 that hasn't been resolved in a MONTH on securityfocus.com?
FW-1 released a "patch" and then immediately pulled it back because it
worked on Solaris and NT, and NOT on IPSO, their own OS.  Bwahahaha...

> Look at the number of known exploits for Linux, and compare it to a Cisco
> PIX. Really, write the numbers down on paper.
> 
> There, we're done.

No we're not.  A Linux box running PURE firewall code (IPCHAINS only,
routing code... NOTHING else) will compare nicely in those numbers.
People tend to run SERVICES on their Linux firewalls, and those Layer 7
programs DO have known exploits more often.  Just like if the commercial
firewalls were running FTP, WWW, and Mail services on their hardware
too.  Again, this comes back to competency.  Don't run servers on your
firewall.

> >> You could go for another 15 minutes and people will still think that
> >> their Linux box is a great firewall and how could they possibly be a
> >> victim.
> > 
> > This really depends on who set up the box. Chances are high that
> > whoever sets up a private security gateway isn't as experienced
> > as someone who works for watchguard etc.

That's up to the customer to decide.  Train from within, trust your
staff to know their stuff, or hire outside help.  Same as any other IT
decision.

> You can tell you aren't a service provider, and that you spend more time
> maintaining your own LAN than other people's.  You're missing that whole
> real world piece of the pie.
> 
> Without a firewall, it really doesn't matter what else you do, you've left
> the door open.  It's like the lottery, your chances to win increase an
> infinite amount when you buy one lottery ticket instead of zero.

Again, firewalls by themselves are useless without a security policy and
TRAINING for your organization about the risks of doing silly things.
No electronic box will ever 100% fix a problem with humans... that we
can't leave other's stuff alone.

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20000802/fbb4b575/attachment.pgp>

More information about the LUG mailing list