If you at all consider the computer based firewall solution, openbsd is
worth at least a look.
Bri
On Mon, 26 Mar 2001, Allen May wrote:
> Is the outside interface still open to SSH connections? If so & it's
> compromised, Linux is a full blown operating system that, when compromised,
> can have ANY program designed for Linux installed. Can you imagine
> something like a packet analyzer grabbing all your passwords and sending
> them out over the net to someone else? Ewww. That's my #1 reason for going
> with something like a PIX. Just make sure you're IDS is set to notify even
> in the event of a SUCCESSFUL connection. I've seen people who set it up for
> unsuccessful attempts only.
>
> I hope that guy wasn't fired BECAUSE he recommended the Cisco solution.
> That's totally a matter of point of view on that decision & his wasn't
> wrong..neither was the Linux choice. Some situations call for one while
> others call for the other.
>
> Oh and keep a copy of the correctly configured drive with all settings on
> hand. A hard drive is much more prone to failure than RAM/ROM just due to
> the moving parts involved.
>
> Allen
> ----- Original Message -----
> From: "Sean Young" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Sunday, March 25, 2001 3:05 PM
> Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX
> 525
>
>
> > Ken,
> > Thank you very much for the advice. This past Friday, my company has
> > decided to use Linux as our company Firewall. Furthermore, we've decided
> > that this Firewall will be running kernel 2.4.2 with only two services
> > running on it, SSH and netfilter (aka iptables). I've tested kernel
> > 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've
> also
> > performed various intrusion detection tests on the box using
> > Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break
> > it. The linux box is rock-solid. I am also running portsentry (IDS)
> > on the Firewall itself.
> >
> > Also, we decide to running our squid proxy server on another linux box
> > to provide transparent caching for our internal users. As far as VPN is
> > concerns, we are going to implement FreeS/WAN on another box. I think
> > in the long run, it is going to save the company a lot of money. We
> > end up not buying the PIX and web-caching engine from Cisco. Oh, the
> > networking guy in our group who recommends Cisco PIX and Cisco web-
> > caching engine as a solution, he has been fired. Go figure.
> >
> > Regards,
> > Sean
> > P.S. Priscilla, why not implementing TRANSPARENT caching by using squid
> > to speed up internet connection for your users? Squid is free and very
> > secure and easy to use.
> >
> > >From: [EMAIL PROTECTED]
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED], "Stuart Brockwell" <[EMAIL PROTECTED]>
> > >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> > >PIX 525
> > >Date: Sat, 24 Mar 2001 20:02:26 -0800
> > >
> > >Sean,
> > >
> > >Comments imbedded:
> > >
> > >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> > >
> > > > Hi Sean,
> > > > I am a Linux head my self, and one of our firewalls is in fact
> > > > running
> > > > on a Linux box. The only problem with this type of firewall is that
> > > > you inherit all of the known bugs that the software has. Given that
> > > > the source code to Linux is widely available, you have a lot of very
> > > > talented people out there who know these holes and are able to exploit
> > > > them very easily.
> > >
> > >It also means that there are a lot of talented people who are looking
> > >at the code to make sure that any holes are patched. In fact, when
> > >new exploits are found, Linux is usually the fastest platform to have
> > >a patch available. Compare this to having to wait weeks for vendor
> > >patches or having to prove to a vendor that a problem exists.
> > >
> > >Also, a service can only be exploited if it is running. A properly
> > >configured firewall doesn't run unecessary services, this makes it
> > >very difficult to exploit. Essentially, it would come down to trying to
> > >DoS it or running a password guessing program against it to get
> > >remote access.
> > >
> > >
> > > If you
> > > > maintain your own Linux firewall, you will need to continuously look
> > > > for the latest bug fixes to install on your Linux box to address the
> > > > latest round of holes that have been released.
> > >
> > >If the Linux firewall is properly setup, the only services running on it
> > >are ipchains and SSH. This means that you have to be aware of 2
> > >services. While there could always be a local exploit, if only
> > >trusted admins have access, the trouble with keeping up patches
> > >is minimal. It is certainly no more trouble than keeping up with
> > >bugs on a vendor platform.
> > >
> > > >
> > > > Cisco and companies such as Watch Guard closely guard their source
> > > > code, often you can elect to take on a maintenance contract with the
> > > > firewall where you recieve all the latest fixes for a 12 month period
> > > > (this is what we did). As this is their bread and butter, they spend
> > > > a lot of time looking for holes and fixes to known bugs.
> > > >
> > >
> > >While true, this doesn't mean that their code will have fewer bugs
> > >or that the bugs will be patched quicker. There is a very large
> > >support community for Linux that is very technical. Most bugs are
> > >patched in a matter of days, sometimes hours.
> > >
> > >
> > > > the main plus for each of
> > > > the commercial packages is that there is large support base, where as
> > > > skilled Linux admin staff who can lock down a firewall are very few
> > > > and far between.
> > >
> > >This is simply not true. There is a very large community of Linux
> > >developers and admins, and most of them are very knowledgable.
> > >There are good mailing lists and _plenty_ of good Linux
> > >security/firewall books, articles, web sites, etc. available.
> > >
> > >Locking down a Linux box is not rocket science. That is FUD that
> > >is propagated by vendors who want to sell product. It's not hard to
> > >configure a Linux box to be secure, the difficulty comes in running
> > >lots of services and providing access to users. If you have a box
> > >that runs web, ftp, smtp, nfs, etc., then it becomes much harder to
> > >secure, but none of these services should be running on a firewall.
> > >
> > >The bottom line is that there are several good commercial firewalls,
> > >but that doesn't mean that a Linux box cannot serve as a good, low-
> > >end alternative. Especially if cost is one of the main decision
> > >factors.
> > >
> > >-Kent
> > >
> > >
> > >
> > >
> > >_________________________________
> > >FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
