[lug] Firewall != Linux, Was -> Broadband

Sean Reifschneider jafo at tummy.com
Tue Aug 1 16:45:09 MDT 2000


On Tue, Aug 01, 2000 at 04:16:30PM -0600, Chris M wrote:
>A security hole.  wu-ftpd, sendmail, etc.  A modem connected to the computer

A firewall acting as an FTP server, SMTP server, etc, isn't really a
firewall.  But, people still want to do it even if they're paying
significantly less than "big name" firewall

Obviously, Linux *CAN* run well as a firewall.  There are a number of
companies selling firewalls based on Linux.  If you run a service on
your firewall which has a long track record of having security
vulnerabilities, you deserve what you get...  But in that case
you're usually electing for less security.  People do that all the
time -- for example when they use telnet...

>in one case. Or a simple DoS, any number of things.  I mean the sky is truly

I put a denial of service in a different catagory from a security
compromise.  I mean, what's a PIX firewall going to do about a
smurf attack, eh?

>Ah so, you have a vested interest in Linux as a firewall.  That sort of
>disqualifies you don't you think? :)  If Linux worked great as a firewall

Correct me if I'm wrong, but you stated in another message that you have
been selling PIX firewalls to Linux firewall users.  Have you just
disqualified yourself?

>A Cisco will beat a Linux firewall for all around security any day.  I don't
>say this with any joy, I hate Cisco.

I don't have any proof one way or another.  I do know that I don't
have the code, so I can't go and look at it to see if it does things
I do like set up most of the filesystem as immutable, etc...  Things
that I *CAN* do because the source is available...

>>> More secure than what?  Than a commercial firewall that has no publicly
>>> available source code to find exploits in?  Try again.

Just because it's not publicly available doesn't mean that crackers aren't
surveying it for weaknesses.  You can't stop everyone, and the source for
PIX is a *HUGE* target...

>"Some" of today's firewalls, not most. Just because I can get the same gas
>as A.J. Foyt doesn't mean I'm going to drive like he does.

Oh, you eat at Taco Bell too?  ;-)

>for commercial products since they do eliminate a large component of
>failure: human judgment and training.

You certainly aren't saying that you CAN'T configure a PIX machine so that
it compromises your security?

The crypto folks are convinced that security through obscurity doesn't work.
Closed source is obscurity, and we have a number of instances where
closed systems have shown significant attacks.  So you'd have a pretty
hard time convincing me personally that open source contributes to
less security.

Sean
-- 
 Charlie Brown peddles his body for crack money while stealing Social Security
 checks and boosting automobiles in "BLAME IT ON THE MAN, CHARLIE BROWN."
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python




More information about the LUG mailing list