[lug] Firewall != Linux, Was -> Broadband

Chris M chrism at peakpeak.com
Tue Aug 1 17:02:06 MDT 2000


> From: Sean Reifschneider <jafo at tummy.com>
> Reply-To: lug at lug.boulder.co.us
> Date: Tue, 1 Aug 2000 16:45:09 -0600
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] Firewall != Linux, Was -> Broadband
> 
> On Tue, Aug 01, 2000 at 04:16:30PM -0600, Chris M wrote:
>> A security hole.  wu-ftpd, sendmail, etc.  A modem connected to the computer
> 
> A firewall acting as an FTP server, SMTP server, etc, isn't really a
> firewall.  But, people still want to do it even if they're paying
> significantly less than "big name" firewall

Yep, and there is one of the problems, overloading the machine.  Once a
server is sitting there, it is tempting to play with it.  "Make it better."

> Obviously, Linux *CAN* run well as a firewall.  There are a number of
> companies selling firewalls based on Linux.

Obviously yes.

> If you run a service on
> your firewall which has a long track record of having security
> vulnerabilities, you deserve what you get...  But in that case
> you're usually electing for less security.  People do that all the
> time -- for example when they use telnet...

Point well taken.  Services are just one way in though.

> 
>> in one case. Or a simple DoS, any number of things.  I mean the sky is truly
> 
> I put a denial of service in a different catagory from a security
> compromise.  I mean, what's a PIX firewall going to do about a
> smurf attack, eh?

It isn't going to melt :)

> 
>> Ah so, you have a vested interest in Linux as a firewall.  That sort of
>> disqualifies you don't you think? :)  If Linux worked great as a firewall
> 
> Correct me if I'm wrong, but you stated in another message that you have
> been selling PIX firewalls to Linux firewall users.  Have you just
> disqualified yourself?

No, I'll sell you a Sonic, a Watchguard, whatever it right for *you*.  Even
Linux.  Although Linux is not a great match except for Joe Sixpack at home,
and even then I would discourage it.  Much cheaper to spend than tinker
unless you pay yourself $2/hour.

>> A Cisco will beat a Linux firewall for all around security any day.  I don't
>> say this with any joy, I hate Cisco.
> 
> I don't have any proof one way or another.  I do know that I don't
> have the code, so I can't go and look at it to see if it does things
> I do like set up most of the filesystem as immutable, etc...  Things
> that I *CAN* do because the source is available...

That's right.  If you had an ICE you could maybe disassemble the code, but
the amount of effort is huge, and if you have this level of training you
have easier targets as a hacker :)

> 
>>>> More secure than what?  Than a commercial firewall that has no publicly
>>>> available source code to find exploits in?  Try again.
> 
> Just because it's not publicly available doesn't mean that crackers aren't
> surveying it for weaknesses.  You can't stop everyone, and the source for
> PIX is a *HUGE* target...

As I said before, find a published exploit for it then.  They are out there,
but not in the same numbers.

> 
>> "Some" of today's firewalls, not most. Just because I can get the same gas
>> as A.J. Foyt doesn't mean I'm going to drive like he does.
> 
> Oh, you eat at Taco Bell too?  ;-)

Burp.

> 
>> for commercial products since they do eliminate a large component of
>> failure: human judgment and training.
> 
> You certainly aren't saying that you CAN'T configure a PIX machine so that
> it compromises your security?

It's possible, but it is much harder to screw up than Linux.  If you are
already into IOS you have some training already.

> The crypto folks are convinced that security through obscurity doesn't work.
> Closed source is obscurity, and we have a number of instances where
> closed systems have shown significant attacks.  So you'd have a pretty
> hard time convincing me personally that open source contributes to
> less security.

Easily refutable.  What is easier to steal, a car with the keys in the
ignition and the doors unlocked or one without?  Even for an experienced
thief he's going to use the keys.

Open source removes many barriers to entry.  No one said closed source is
perfect, but it is definitely *harder* to crack.

I'm not going to change your mind if you already think that way though.

Chris

> 
> Sean
> -- 
> Charlie Brown peddles his body for crack money while stealing Social Security
> checks and boosting automobiles in "BLAME IT ON THE MAN, CHARLIE BROWN."
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug





More information about the LUG mailing list