[lug] Firewall what a flare of emotions

Ferdinand Schmid fschmid at archenergy.com
Tue Aug 1 10:16:27 MDT 2000


Here is some food for thought:
Most of the commercial firewall appliances are based on BSD or Linux.  I spoke with several vendors and this much seems to be fact.

BUT:
Those vendors are expert in security and they will supplement the OS they chose with proprietary code to make their product as watertight as they can.
For basic firewalling needs Linux can do a good job as long as the administrator who configures the firewall knows what she/he is doing.  And THIS IS THE SORE POINT - many Linux firewalls are set up by folks who aren't specifically trained in network security.  If you hire a security expert to configure your Linux firewall then it will be strong.  It will have scritps that check logs and alarm you about intrusion attempts (without too many false alarms).  But for that amount of money you could also look into a commercial firewall, especially since port forwarding is still experimental in Linux (very useful for DMZs = De-Militarized Zones).

AND THE TRUE RISK:
Your employees behind the firewall.  There are plenty of VBA (Visual Basic for Applications) scripts that can embed themselves during regular browsing.  These scripts do all kinds of little tricks and they have the same kind of access as the user who infected his (mostly) Internet Explorer.  The only script I have encountered so far collected information about user's browsing habits and then tried to upload that info to a main web site.  Very benign - and detected through a proxy server (the script attempted to upload its info without a password enough times to trigger network security).  Much worse things could have happened here!
ADVICE:  Disable VBA, only run the latest Java VM, you may even look into running a browser with less functionality.  I am daring enough to run Netscape but I don't run IE or Outlook Express for e-mail.

CONCLUSION:
If you really want to be safe buy some consulting time from an established network security expert (there are some on this list and I am NOT one of them).  They can tell you what to buy and they can also point out security risks that you may not even think of.
Buy insurance if your life depends on the safety of your network because all humans make mistakes and eWeek's OpenHack proved that once again (they used the best of the best in equipment and made only one little mistake).

Ferdinand

Chris M wrote:

> >For all those who have or want cable modems or DSL, you should look
> >into using the Linksys BEFSR41 firewall instead of a computer.  Yeah,
> >it's a lot of fun to play around with Linux firewalling and such, but
> >if you want something that firewalls, does DHCP, NAT, port forwarding,
> >etc. for your network AND has a 4-port switch in it for only
> >$160...this is your product!
>
> Not to mention, Linux is not a firewall.  Linux is Linux, complete
> with thousands of people scouring source code looking for security
> holes so they can hack your box, attack NASA, and Men in Black will
> show up at your door.
>
> True story.
>
> If you aren't running a "real" firewall (and we could debate ad
> infinitum how real Linksys is) then you are probably exposed.
> Period.  We recommend an external appliance, maybe the Linksys fits
> your requirements, maybe Watchguard or Sonicwall does.
>
> >
> >No, this isn't an advertisement for Linksys.  I just cringe when I
> >hear about people using their linux machines to do lots of packet
> >filtering that is unnecessary.
> >
> >Also, if you think for a second that hooking your cable modem directly
> >into your computer is safe, think again.  You've just put your
> >computer straight on the Internet for script kiddies to beat the crap
> >out of.
> >
> >Thus endeth the sermon.
> >
> >--
> >PC Drew
>
> You could go for another 15 minutes and people will still think that
> their Linux box is a great firewall and how could they possibly be a
> victim.
>
> *None* of our customers running a commercial firewall have been
> hacked.  Plenty of Linux customers have.
>
> Chris
> Peak to Peak Internet
> http://www.peakpeak.com
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug






More information about the LUG mailing list