On Tue, 19 Feb 2002, Martin Peikert wrote: > > On Tue, 19 Feb 2002, Martin Peikert wrote: > >>It's not the OS that will solve your problems. The security of an OS is > >>dependend of the ability and knowledge of it's administrator. If you are > > > > It's also dependent on its codebase (size, complexity, design, > > implementation.) > > > Right, I forgot to mention that - but I thought it's obvious...
To some it is, to others it isn't. Hardly anyone rips out massive useless ammounts of kernel code anymore when building firewalls :( > >>more familiar with Linux, stay with Linux. If you are interested in a OS > >>that is focussed on security, try OpenBSD. > > > > Familiarity is something that should be balanced against homogenity of the > > environment. If your security infrastrcture is the same as your server > > infrastructure, then there's the potential that a single problem will more > > likely affect both systems. > > > ACK - it would be better to run _two_ firewalls with _different_ > operating systems. That's always been my preferred mechanism, with screening routers on each side for completeness. > > > The OBSD work really has more relevence in servers than firewalls, as most > > > I cannot agree to that. IP over IP crashes fixed in Dec., pf and ICMP crashes in Nov. (admittedly IPv6 packets), and an IPSEC AH overrun last March are potentially firewallish problems- Given that it's roughly the same timeframe as your examples (~1y)- and we're at 3 for each OS. NetBSD probably fairs about the same from a firewall perspective between IPFilter and a NAT/ICMP/DF/PMTU bug- I doubt that FreeBSD is all that much different. > > of the exploited services shouldn't be running on a firewall in the first > > > place. Other than the ICMP kernel bug recently, there's not much that > > should have affected a well-configured Linux firewall in the last couple > > years. > > > Oops - what about the ip_conntrack_ftp bug (see > http://www.securityfocus.com/archive/1/177070 for more information) Sorry, the original questioner did only ask about filtering, I tend to deploy application layer proxies over top of my Linux firewalls- enough products. In any case, "well-configured" doesn't allow inbound protocol messes such as FTP- leaving a potential malicous internal user or malcode vector for those who rely on filtering for FTP. > or the bug in Linux 2.4 / iptables MAC match module (see > > http://www.securityfocus.com/archive/1/219180 for more information)? I've never seen a Linux firewall with MAC filtering, but I suppose it's possible, which is why I said "not much." > None of them hare related in any way to the configuration of the system. True, but IPFilter has had its fair share of bugs too, and until the license debacle, it was the default for OBSD. I still tend to prefer IPFilter for my host-based packet filtering, but not for any especially objective reasons. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
