router

Discussion in 'Computer Security' started by DaveINM, Jun 12, 2004.

  1. DaveINM

    Leythos Guest

    Um, that would not be a firewall, that would be a workstation. hardly a
    ideal solution for a security professional.

    If you had said that Linux makes a more flex able platform than a
    firewall appliance does for the cost, then we would be on the same page
    - a firewall appliance is just a firewall, not a workstation. I think
    you've entered into the misdirection stage of your argument.
     
    Leythos, Jun 16, 2004
    #41
    1. Advertisements

  2. DaveINM

    Leythos Guest

    Actually, a lot of firewall appliances have three networks, the public
    side, the trusted side, and the DMZ. Many of the smaller firewall
    appliances (not the cheap routers) are now including this same three
    port design. Some of the cheaper ones give you the ability to direct all
    DMZ traffic to a single IP (not an ideal solution) that you can do
    anything you want with (attach a router/nat and you have another
    network).

    You are right though, I only run a firewall on the system that is
    designated as the firewall. I can't imagine anyone running Office or
    PhotoShop on a FW-1 firewall box :)

    I've found the same as you - an appliance is easier for customers to
    maintain, less problems for them to work with, and easier on space and
    electrical costs - less heat output too in most cases.
     
    Leythos, Jun 16, 2004
    #42
    1. Advertisements

  3. DaveINM

    Leythos Guest

    You still have not told me what "Firewall" features your box has vs a
    appliance? Other than the user limit, which I agree is a pain, I don't
    see anything in features that yours can do that an appliance can't do.

    In fact, depending on the device, the appliance has one really nice
    feature that can save a companies ass - SMTP proxy filtering of
    attachments by extension and/or size.

    Don't come back and tell me how you can run a shell, office, etc.. on
    your firewall, only a idiot would install additional software on a
    firewall system. Firewalls should be stripped down to the absolute
    minimum in order to provide security, stability, and ensure that there
    are less openings for problems (not to mention hardware and such).
     
    Leythos, Jun 16, 2004
    #43
  4. Perhaps some software might be interesting:

    Snort, Tripwire, Socks Proxy, Ethereal, network security
    audit tools, traffic shaper/congestion control, dynamic blackholes,
    time variant filter rules, logging, tracing, and DNAT to
    the local honeypot, with trace&logging, for evidence collection.

    Some of these features are slowly being integrated into
    hardware firewall solutions.

    Note: Consolidation requirements may lead to more things running
    on the firewall than one would envision in a perfect world.
    Shades of gray instead of back and white. The balancing
    act of security, cost, functionality, user requirements
    continues.

    Fast, Cheap, Good, Pick any two.

    Enjoy,
    Mangled&Munged.
     
    Mangled&Munged, Jun 16, 2004
    #44
  5. DaveINM

    Chuck Guest

    Amen.

    I found Mangled's 15 function list quite scary.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
     
    Chuck, Jun 16, 2004
    #45

  6. that is irrelevant to the discussion at hand. now you're dipping into
    opinion, not fact. the FACT is, a linux box is more versatile, which was
    the original point.


    no, actually, you ASSUMED I meant b) when in reality, I clearly and
    pointedly stated a). do not _assume_ and READ.


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Jun 16, 2004
    #46


  7. I agree.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Jun 16, 2004
    #47
  8. DaveINM

    Leythos Guest

    No, it's not irrelevant - this discussion was about firewall appliances
    vs software/os based firewalls running on a Linux box - nothing was said
    about using it as a workstation. Sheesh man, every one knows that a
    firewall box is not a workstation, not a game server, not a streaming
    audio server, not a word processing system, not anything but a firewall.

    You statement, now that you've explained it, is like talking about NAT
    Routers and saying that my Windows 2003 server (or MDK 10 system) is
    more versatile than a router! What a crock of BS - you make a good
    troll.

    Now, when it comes to firewalls, which is what this is about, your Linux
    box makes a crappy firewall for most non-nix users, as a device is much
    easier to configure, comes with more standard features in an example of
    a base install, uses less power, and has less chance of breaking. It's
    also harder to screw up the rules on a device than it is for a new-home
    user (non-nix person) on a nix platform.
     
    Leythos, Jun 16, 2004
    #48
  9. Well, M&M certainly listed an ample amount. Also, I love the ability
    to run shell scripts and quickly develop C programs to ease the
    administration overhead. I'm not saying gcc should be installed on a
    firewall, eventhough most of mine have it. Cron is a lifesaver as
    well. I guess, to sum it up in one word, choice.
    Yep. There are a few available for Linux firewalls. They even have
    additional features like anti-spam as well.
    A shell is part of Linux. Certainly a plus, not a minus at all. By
    additional software, do you mean something like SMTP proxy filtering?
     
    Micheal Robert Zium, Jun 17, 2004
    #49
  10. I've had many appliances go bad as well. Also, with high-MTBF low
    power consumption power supplies and CF disks, any PC can enjoy the
    benefits of an appliance. Roll your own and enjoy the power of
    choice.
     
    Micheal Robert Zium, Jun 17, 2004
    #50
  11. DaveINM

    Jim Watt Guest

    Again that might be a choice for an enthusiast, but building the
    system from the bottom up is not the appropriate solution for most
    people. Appliances do not fail as often as PC's

    Perhaps you are missing some fun and should make your own
    PCB's and solder in the components too? You could also design
    your own ASIC's as buying the fab plant might be expensive.

    or it might be easier to buy a $50 box and use it.
     
    Jim Watt, Jun 17, 2004
    #51

  12. absolutely.




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Jun 17, 2004
    #52

  13. I still say you need to reread the thread. you're missing key points
    made.

    an appliance can only do so much. I want more. so do many others reading
    and posting to this thread.

    and on another note, didn't I read somewhere that the linksys OS is
    based on linux?


    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Jun 17, 2004
    #53
  14. That's a new one on me (leaving aside Light units running IPcop) - all of
    the SoHo routers I've seen have what they call a DMZ, but is really just
    default port forwarding.

    (Sorry for being picky - for me, a DMZ is a separate, isolated, LAN segment
    between the outside world and the private LAN. It's very well firewalled on
    both sides)

    H1K
     
    Hairy One Kenobi, Jun 17, 2004
    #54
  15. Can't say that I've seen an appliance go down - although the exact opposite
    has been true with mainstream PC hardware. My old Netgear even survived a
    spike sharp enough to erase its EEPROM (!)

    As you say, use something like an ITX-based box and get the best of both
    worlds; but please note that CF should *only* ever be used when you
    expecting not to write to disk. It's notoriously unreliable for things like
    VM (which is the reason that my web server has two moving parts - a fan and
    a conventional HDD)

    H1K
     
    Hairy One Kenobi, Jun 17, 2004
    #55
  16. DaveINM

    Leythos Guest

    No, I mean Open Office and things that were mentioned that have nothing
    to do with the firewall. And SMTP filtering is part of a lot of
    firewalls now.
     
    Leythos, Jun 17, 2004
    #56
  17. DaveINM

    Leythos Guest

    And appliance is designed to do exactly what it was sold to do -
    firewall. A firewall appliance, more times than not, is going to be the
    better choice for people since it's less likely to be misconfigured. If
    you want to run apps on your firewall you're fooling yourself.
    Almost all routers/firewall appliances are based on a nix OS, but I
    don't see any of them running Open Office or games - that should tell
    you something. A firewall system should ONLY run the absolute minimum of
    items necessary to do it's firewall job.
     
    Leythos, Jun 17, 2004
    #57
  18. DaveINM

    Leythos Guest

    I think that if you re-read my statement you will see that I said
    "Firewall Appliances" I don't consider NAT Routers to be "Firewall
    Appliances". Most firewall appliances have three or more ports - WAN,
    LAN, DMZ and the networks are isolated from each other. I agree with
    your last statement, I don't consider forwarding to another IP to be a
    separate network or DMZ either.
     
    Leythos, Jun 17, 2004
    #58
  19. DaveINM

    Jim Watt Guest

    really? I'd have thought being solid state it was better.

    It works OK in my camera.
     
    Jim Watt, Jun 17, 2004
    #59

  20. mine isn't just a firewall, it's a firewall, an IDS and a network
    sniffing tool. who are you to say that isn't fine and dandy? someone
    sets a "standard", just because I don't like the standard, doesn't mean
    I am breaking some major rule.

    frankly, if it wasn't for folks like me that bend and stretch, we'd be
    nowhere with tech.



    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
     
    Colonel Flagg, Jun 18, 2004
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.