On Tue, Jul 29, 2003 at 03:33:39PM +0000, Shane Hollis wrote:
> > > Hardware firewalls cannot be software cracked,
"Hardware" firewalls run software.
> Yes that is true and false. Most of the OS is hardware based. There
The claim that "most of the OS is hardware based" is complete rubbish.
If you think your el-cheapo firewall is offloading routing,
checksumming, and the like to special hardware, you've been fooled.
> are some software parts which allow configuration and minor changes to
> the functioning. Some hardware has been vulnerable. It is like
> everything, GIGO. A good solid and proved firewall wont go changing
> on you over time and should remain secure. New epxlits come out for
Security is a process, not a product. You need to keep any firewall
product up to date with security fixes, and also continuously review
activity on that firewall.
What kind of intrusion detection does your el-cheapo firewall have?
> My working machine doesn't have to muck around losing CPU cycles doing
> routine filtering or routing tasks but instead can concentrate on my
> needs. Its the same reason I don't play or encode MP3 files or Ogg
> files while programming or running a long calculation.
Unless you are filtering a very large number of packets per second, you
won't notice any additional load when doing packet filtering on your
workstation.
I don't know what kind of programming you do, but almost all of the time
I'm programming, the machine is idle.
> I bet my hardware is easier to move and not as vulnerable to
> corruption as yours :-) comparing a tiny chocloate box sized router to
> a 486 box is like saying parking a tank is the same as parking a mini.
> Not true.
OpenBSD or Linux performing a firewalling function and running on a
small device like a Soekris is pretty easy to move around.
> > >Another nice feature is that they can deal wth DHCP, be moved
> > > where ever you want, allow you to shut down your servers for maintenance
> > > and you can generally set and forget them.
Running DHCP directly on your firewall is yet another avenue for
malicious persons to exploit the machine.
> Which I have yet had need to do ...
> The example above is better for me than you I am afraid Nick. Banning
> all packets below 1024 is a pretty wierd thing to do and it doesn't
Rubbish. It's a very good idea to drop or reject packets on ALL ports
that you are not expecting data on. Dropping packets on ports < 1024 is
quite common, considering that a huge host of exploitable services are
often found running on low, well-known ports.
> allow intrusion. It only locks the firewall. I bet IPCop has been
> pentrated a few times. I am still looking for a valid penetration of
> the FM114P (non-wireless) on google and haven't found one.
Almost all of those low-end "firewall" products are junk. They are
susceptible to all-sorts of DoS and exploits. Do you want to know why
there are not a lot of exploits listed for that particular device?
Here's a clue--it's now because it's exploit-free, but because very few
people are looking at exploiting these devices compared to more
interesting targets.
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
