Paul M Sargent wrote: > > Hi all, > > I just subscribed to the list, so please excuse me if I'm making a huge faux > par here. > > Where I work we currently have a Commercial packet Firewall which is > starting to show problems. The major one is that it has a limited user > license and we outgrew it a long time ago. It's long gone the time that we > should have replaced it. > > I am debating wether to propose a Linux (probably Debian, I like the > maintainability of it) based firewall, but I can guess the concerns about > security. That is why I'm here. > > <flame retardant suit on> > Does a Linux based firewall come up to scratch when compared to a Commercial > one? Are there issues I should know about? > <suit off> <me too ?> In my opinion YES. My company is selling Debian-based firewalls (I have just a project with 12-port firewall running) and our customers are very happy with them. The product will be named Gibraltar, but at the moment there is no installation procedure and no real configuration environment. I just started playing with package configurations to get a tight firewall systems. Two packages that were created for Gibraltar are already in the main Debian distribution: logcheck and pptpd (I am the maintainer).
> Obviously there are lots of great things about having your security under > pulic review (fast fixes, tried and tested systems, etc). I just want to > know, before I stick my neck out, is there anything I could get shot down > for. This is the main reason why I use Linux: The public review. > As far as my limited understanding goes, I can't see things getting much > more secure than a Linux box with just the kernal (configured for masq and > firewalling), a few network tools (route, ipchains) and a shell. No other > services on the box. True. Our firewalls only have two ports open: the SSH port for administration and the HTTPS port for getting traffic information from it (nice GIFs created by ipac). BTW, does anybody know a really small web server for linux that has SSL support. It should be really small, just SSL and user authentication (plain passwords are enough when going over SSL). All other ports are set to deny and logging. There is only one problem compared to the commercial firewalls: administration interface. With Linux you are on your own at the moment (although I am working on designing a tool for configuring the network and firewalling rules). I recommend the use of ifup/ifdown commands in Debian netbase and fwctl (a Debian package too) for firewalling rules. If you want to use advanced routing features of the 2.2.x kernel, you can do so by putting the ip commands in the /etc/network/interfaces file, but you have to use the ip syntax. No config tool for this. > Am I thinking in the right way? Definitely ! > It's then just a matter of what you allow...right? Sure. Summary: I think (this is only my personal opinion, vendors of commercial firewalls may have other opinions) that Linux can be as secure as commercial firewalls are. This can be achieved with only the standard set of programs and a stock Linux kernel > 2.2.x (because of the advanced features I recommend 2.2.x over 2.0.x). The main disadvantage is the configuration (no nice Windows programs to do it with drag and drop). Feel free to ask me details about implementations of specific features. greets, Rene
