> If you think your el-cheapo firewall is offloading routing,
> checksumming, and the like to special hardware, you've been fooled.
Sigh ... .I think I have started a war :-{
My main point was that it is easier and cheaper to use a cheap firewall, which
leaves your machines alone to do their main task, is quicker to set up and is
more easily configurable for a client than to go through hours of time
consuming, money costing exercises with software that is making you loose
trust in the eyes of a client and is probably taking time the original poster
was not getting paid for.
The problem was that IPCop was having trouble with hardware changes ( I think
.. it was so many posts ago I forget now). The easy and safe solution is too
put in a hardware firewall. Its a piece of business pragmistism not a
religious conviction over the way everything should be done. My clients are
happier to pay me to put in a hardware firewall, and spend an hour
configuring it, than they are to see me coming back time after time trying to
resolve problems that ar preventing them having their system perform its job
and thus costing them money while it is out of commission. Even if I was to
do the coming back for free it is still costing them time while the system is
out of commission, peeving them off and making them loose confidence in my
solutions and expertise.
If you want to keep your customer happy, put in a solution that gets them
working now and then if you want to and they want to pay for it, put in a
more elegant solution after you have sorted through thew problems in a way
that doesn't take their system off line.
I come from a business world / corporate back ground and spoke as a business
person not a linux hacker, trying to offer a simple, cost effective, and fast
solution to a person who had customers waiting to have their problems
resolved.
As for exploits ... there are very few, and most of them require you to do
something like open up for remote admin which always has inherent dangers no
matter what you are using.
The firewall I pointed to as an example only is a cheap end of the market yet
there are very few exploits for it.
To drop all posts below 1024 is really weird. It kills ftp, telnet, http,
smtp, pop and a host of other services a client may want to run. To kill many
of the ports below 1024 makes sense but not all in one bulk hit unless you
expect nothing to come through to you from external sources, in whch case why
firewall? If you expect nothing to come through, you close off all services
and nothing answers back. A good port scan might figure out what O/S software
you are running but surely if nothing responds there is no way of performng a
hack.
Hardware firewalls do you some software for configuration but they also do off
load some processes to hardware or inbuilt routines. Some tasks don't change.
Different firewalls leave different levels of functioning to hardware /
software differently. There is no one answer to all firewalls using software
/ hardware.
> Security is a process, not a product. You need to keep any firewall
> product up to date with security fixes, and also continuously review
> activity on that firewall.
Agreed. My argument is that pure software solutions are more open to hacks
than hardware based solutions as their dependancies change with upgrading and
the systems they run on can me more easily compromised as they are running
multiple functions on a complex cpu and mixed hardware system. It is like
protecting the president of the USA if you are a secret agent body guard
person.
If the president does one job sitting in his desk (like hardware firewall) all
day you set up the security around him, bullet proof the windows, put agents
on all over looking high ground and anti aircraft stuff on the roof. You do
review the secuirty but it is easier as you have one set of known parameters.
On the other hand however if you have a president who goes lots of places and
performs lots of tasks (like a computer system) then the places he goes, the
people he sees and the needs are always changing. There are a vast number
more of variables to consider, new changes are coming at you every day and
there are always unkowns you can calculate in. I know which situation I would
rather be in.
> What kind of intrusion detection does your el-cheapo firewall have?
The origianl post had a list and a url to the site. I personally don't use a
firewall and have had no problems yet as I don't run services or have open
ports. The time it would take me to do it would cost me more than the time
it takes for me to back up my system and restore it. My important stuff is
not network connected, the ultimate in security :-)
>
> I don't know what kind of programming you do, but almost all of the time
> I'm programming, the machine is idle.
Database programming, server testing. I often need to run CPU intensive tasks
and don't want to muck around wasting cycles on stuff I don't have too.
> > I bet my hardware is easier to move and not as vulnerable to
> > corruption as yours :-) comparing a tiny chocloate box sized router to
> > a 486 box is like saying parking a tank is the same as parking a mini.
> > Not true.
>
> OpenBSD or Linux performing a firewalling function and running on a
> small device like a Soekris is pretty easy to move around.
The origianl post was about a standard 486 box, not a Soekris.( which would
cost you over $400 to buy even before you spent time loading it with
software...once again a small firewall is cheaper).
> Almost all of those low-end "firewall" products are junk. They are
> susceptible to all-sorts of DoS and exploits. Do you want to know why
> there are not a lot of exploits listed for that particular device?
> Here's a clue--it's now because it's exploit-free, but because very few
> people are looking at exploiting these devices compared to more
> interesting targets.
I had a friend who claimed the only reason M$ email systems had more viruses
written for them was because more people used them, even after I pointed out
that at the time Lotus Notes was outselling Outlook and had a user base in
excess of 55 million users. He couldn't accept it was because one was more
easy to exploit than the other.
I'm not out for a war ... I just believe in a business setting that to
maintain integritry, get a user back on their feet and be cost effective a
hardware firewall was a viable option to resolve the original posters
problem.
Respectfully
Shane
