Discussion in 'Computer Security' started by DaveINM, Jun 12, 2004.

  1. my statement was an example of what *could* be done with a linux
    firewall and what *cannot* be done with a firewall appliance.

    actually, I prefer freebsd, it's in my opinion (and many others) a lot
    more stable and a lot more flexible with networking tasks. the same
    holds true for freebsd firewalls vs. an appliance. sure, there's more
    moving parts and more likely to break, however, the overall flexibility
    is an advantage i'd much rather have than simple up time. up time isn't
    everything, useability and scalability is.

    so you save money by using an "appliance" as a firewall, so what if you
    want an IDS as well? do you add yet another "appliance". what if you
    want to sniff the network? plug in a laptop? monitor/filter smtp? why
    not do it all from one single box?

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jun 18, 2004
    1. Advertisements

  2. DaveINM

    ParrotRob Guest

    Or use it as a file/media server either, heh.
    ParrotRob, Jun 18, 2004
    1. Advertisements

  3. DaveINM

    Leythos Guest

    What could be done and the tract of the discussion are two different
    things. Talking about Volkswagon and then throwing in watermellons is
    not exactly staying on subject.
    I like BSD also, I like it for soft firewalls much better than any other
    flavor of nix. Small, simple, works great, is the most secure nix flavor
    out of the box that I know of.
    The flex part is where we are always going to disagree, at least in what
    should be installed on a firewall. It's OK to not agree as you are doing
    more with your firewall than just using it as a firewall, I don't see
    the point in using the firewall for more than firewalling.
    If I wanted other functions I would install a system for them, it could
    be an appliance or system, makes no different to me if it's hard or
    soft. The firewalls I use allow me to monitor and filter SMTP, so that's
    an easy one. As for IDS, unless you monitor the real-time interface on
    the firewall it would be hard for any of the ones I know of (soft/hard)
    to provide that function.

    So, lets take this back to where it was started - a typical SOHO or Home
    user is going to be better protected by a firewall appliance or even a
    quality NAT router than a PC running BSD and any flavor of firewall
    applications - the reason is that the typical person barely has the
    skills to setup a "drop-in" appliance let alone configure the hardware
    in a PC, install BSD (any flavor), then setup his firewall software and
    configure the rules, and get the rules right the first time. This same
    thing is true for offices/businesses that don't have dedicated IT staff,
    they need something that is simple, easy to install, easy to maintain,
    easy to understand with just a little help.
    Leythos, Jun 18, 2004
  4. DaveINM

    N1POP Guest

    I did try open- net- and freebsd, but for each one I found I had to
    add some source code and recompile the kernel to use the OS for
    firewalling. I thought that rather inconvenient considering I was
    installing on older technology that made recompiling difficult
    (impossible once time with a space limitation). And, for my needs,
    Smoothwall and IPCop both fit the bill.

    I haven't tried to make my Linux box do any significant routing, it
    just NATs all internal IPs to a single external IP and, because it's a
    private LAN, blocks all unrelated inbounds. I tried to make use of a
    DMZ once, experimentally, but I couldn't make it work (I'm a hobbyist
    with no formal training, could have been my ignorance).

    Still, thanks for the response.
    N1POP, Jun 18, 2004

  5. here's yet another difference of opinion. there's no difference between
    what you're calling a linux/bsd "soft" firewall and an appliance "hard"
    firewall. software runs on both. without software, there would be no
    firewall. these are both the exact same thing, the difference is a small
    appliance running software vs. a system running software.

    it's very easy to do.
    wrong again. the typical user will find it *easier* to protect
    themselves with a quality NAT router (even with stateful packet
    inspection), it's no more and probably a helluva lot less secure than a
    properly installed and configured freebsd firewall with ipf/ipnat.

    while i agree with the above statement, this doesn't mean the user is
    more secure. it's a false sense of security to believe that "...because
    they can configure a drop-in device, they're more secure." This is
    almost security-by-obscurity. Ease of use has absolutely nothing to do
    with being secure. It means they're able to setup a less-secure

    sorta like running microsoft windows eeh?

    just because it's easy, doesn't mean it's better.

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jun 18, 2004

  6. actually, that tells me a lot about your linux use. If you're
    complaining about compiling a kernel, chances are, you're using a
    vanilla install of your linux flavor, which is and of itself, very

    a custom kernel provides more protection by limiting the functions of
    the kernel and does away with various kernel functions not needed. "out
    of the box" linux (especially the popular flavors) is inherently
    insecure. cumbersome to build a custom kernel? yes. more secure and
    exact in its functionality, yes.

    as was I when I first started.

    Colonel Flagg

    Privacy at a click:

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jun 18, 2004
  7. DaveINM

    Jim Watt Guest

    No, but being cheaper and more likely to be correctly
    configured by Mr Average are advantages.
    Jim Watt, Jun 18, 2004
    Hairy One Kenobi, Jun 18, 2004
  9. DaveINM

    Leythos Guest

    Well we agree on the above. I think that a "firewall" would be secure by
    default and require the user to open ports to allow ANY traffic in or
    Ah, that's our big difference, as a long time developer (since the 70's)
    and someone that has written code for embedded systems, I don't
    associate OS like functions with an OS install. If the system is only
    capable of running a single function it's not really running an OS as OS
    would be defined, it's an embedded system and only capable of one thing.
    Appliances, whey they do initialize, load a program out of NVRAM/EEPROM,
    Disk, etc... don't have the ability to do more than their firmware
    permits. A system running an OS is capable of doing more than one
    I use to think that NAT devices were fairly secure, not seen one hacked
    in the default config yet, and none that were properly configured have
    been hacked. On the other hand, someone recently posted a link to a flaw
    in Linksys routers (two units only) that permitted an external user to
    compromise the router (even if properly configured) when left with the
    default subnet. This type of hack requires a user in the LAN to browse
    to a crafted url on a page that will contain the malicious script that
    will compromise the router.

    Now, just so we can be on the same page, I don't (never have) considered
    NAT to be a firewall feature, it's a feature that can be found in
    firewalls, but it should not be confused as being a firewall or firewall
    method - NAT has nothing to do with firewall technology (although
    marketing types are sure making it look like it does).

    There are many true SOHO devices on the market that are "Firewall"
    devices that are not NAT routers disguised as firewalls. Many of these
    devices provide default security as would a typical install of BSD and
    one of the firewall or NAT packages would, but many of them go a step
    further and can "sense" an attack and auto-block the source.

    As an example, I have auto-block rules on all the firewalls that will
    place a 20 minute block on any External IP that attempts to access the
    External IP(s) using ports 135 & 445. Just one rule that helps, in
    general there are about 25 rules per firewall that make and keep things
    secure. Most of these are easy enough for a semi-IT person to pick-up
    with a little explanation and informal training (15 minutes), and then
    they can maintain the system - I've yet to see a IT type that doesn't
    already know nix be able to maintain the box with just 15 minutes of
    informal training.
    Leythos, Jun 19, 2004
  10. DaveINM

    rello Guest

    i am setting up a router that has no defult ruleset and am not quite
    sure where to start......i have used other routers that come with
    default rules that work straight out of the box...this one has no
    rules set [dlink di-808hv]
    should i block all in and allow all out??
    where to from there?

    rello, Jun 19, 2004
  11. DaveINM

    Leythos Guest

    In general, since you have a Router with NAT, you can generally allow
    ALL outbound and none-inbound. That's the way most of those work by

    Some suggestions -

    Change the default network if you can, make it something like
    192.168.10.x. Since it most likely does DHCP, once you change the
    network subnet you will have to do a release/renew on your computer so
    that you can get a new address in the new network that you just created.

    Change the default password

    Disable remote management

    Check to see if there is a firmware upgrade available for it.

    I don't have that router, but, one other thing -

    If you can block outbound ports, block all ports 135 through 139 and
    445. None of these need to leave your network.
    Leythos, Jun 19, 2004
  12. Embedded code is still an OS. Firmware is an OS. Limited in scope, but
    an OS. I agree you'd want your firewall OS limited in scope only
    because more features means more potential holes. But also don't forget
    what enterprise level firewalls like FW1 and Raptor run on.

    Stephen K. Gielda, Jun 19, 2004
  13. DaveINM

    Leythos Guest

    Actually, they are not even close to an OS, their more like a BIOS or
    boot-strap loader than an OS. Think about your PC, the one you are
    typing on, the BIOS is not called a OS, it's the minimum needed to be
    able to load an OS.
    Yep, and I love FW1, but you don't install it on a nix box that you also
    run as a workstation. In fact you don't install it on a box that you use
    for anything other than a firewall, at least none of the people/installs
    I've seen have done it any other way.

    Also, don't forget that many enterprises sit behind an appliance.

    Are we done?
    Leythos, Jun 19, 2004
  14. DaveINM

    Kleeb Guest

    Thanks Leythos. Although it wasn't me asking before, I appreciate the tip.


    Kleeb, Jun 19, 2004
  15. DaveINM

    rello Guest

    tnx leythos
    rello, Jun 19, 2004
  16. Not quite ;o)

    Having also worked on a major embedded platform, when programming new
    functions I had the option to simply call display and hardware access
    routines - I certainly didn't have to redo all hardware access functions
    each time - they were "part" of the platform I was using.

    Even very low-level stuff, like the Flight Trials software, did not require
    extremely low-level coding - just a *lot* of care.

    Incidentally, my router appliance (Netgear, but really a rebadged Zyxel
    unit) runs embedded Unix. Ditto a plasma cutter I helped out with - it's a
    /lot/ easier starting from a base, than starting from scratch!

    Hairy One Kenobi, Jun 20, 2004
  17. DaveINM

    Leythos Guest

    I agree, most of us have libraries of functions/routines that we reuse
    after developing, but that doesn't make the system an OS.
    Leythos, Jun 20, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.