On Wed, Jul 30, 2003 at 10:10:11AM +0000, Shane Hollis wrote:
> My main point was that it is easier and cheaper to use a cheap
> firewall, which leaves your machines alone to do their main task, is
> quicker to set up and is more easily configurable for a client than to
> go through hours of time consuming, money costing exercises with
> software that is making you loose trust in the eyes of a client and is
> probably taking time the original poster was not getting paid for.
It is only easier to set one of these devices up than a dedicated Linux
firewall if you don't know what you're doing with the Linux software--in
which case, you shouldn't be setting them up for customers in the first
place.
> The problem was that IPCop was having trouble with hardware changes (
> I think .. it was so many posts ago I forget now). The easy and safe
I don't think there are many good reasons to be changing the hardware of
a dedicated Linux firewall--unless you're performing an upgrade of the
hardware.
Note, also, that you can't upgrade these el-cheapo firewalls you're
talking about... so if the customer suddenly needs another firewall
port, or some IPsec tunnels, you might find the current hardware unable
to cope and you're stuck.
> solution is too put in a hardware firewall. Its a piece of business
> pragmistism not a religious conviction over the way everything should
> be done. My clients are happier to pay me to put in a hardware
> firewall, and spend an hour configuring it, than they are to see me
> coming back time after time trying to resolve problems that ar
> preventing them having their system perform its job and thus costing
> them money while it is out of commission. Even if I was to do the
> coming back for free it is still costing them time while the system is
> out of commission, peeving them off and making them loose confidence
> in my solutions and expertise.
If you're doing such a poor job of installing a dedicated Linux firewall
that you need to return the customer's site time after time to fix
things, you need another line of employment, or some better education
and experience with the tools you're using.
Your argument seems to hinge on the fact that you're pointing out
potential problems with installing hardware and software that you are
not familiar with. You're going to run into problems if you're not
familiar with the particular "hardware" firewall you're installing, too,
if you don't know a lot about it. You should not be installing
solutions for customers that you don't understand. Period.
> If you want to keep your customer happy, put in a solution that gets
> them working now and then if you want to and they want to pay for it,
> put in a more elegant solution after you have sorted through thew
> problems in a way that doesn't take their system off line.
Or you could plan properly, and get it right the first time. Yes, I do
realise that there are times when you need to get a solution in and
working yesterday.
> As for exploits ... there are very few, and most of them require you
> to do something like open up for remote admin which always has
> inherent dangers no matter what you are using.
Assuming there are very few exploits because Google doesn't list them is
naive. Assuming that very few exploits will be found in the future is
also naive.
How good are the TCP/IP stacks in these el-cheapo firewalls? Go and
take a look how many problems have been found in TCP/IP stacks that are
considered to be _very_ good, like Linux and FreeBSD. Do you really
think that similar problems won't exist in other devices?
> To drop all posts below 1024 is really weird. It kills ftp, telnet, http,
> smtp, pop and a host of other services a client may want to run. To kill many
Dropping traffic _inbound_ to your network on all ports < 1024 is not at
all strange.
> of the ports below 1024 makes sense but not all in one bulk hit unless you
> expect nothing to come through to you from external sources, in whch case why
> firewall? If you expect nothing to come through, you close off all services
> and nothing answers back. A good port scan might figure out what O/S software
> you are running but surely if nothing responds there is no way of performng a
> hack.
Closing down exploitable services behind the firewall is one step to
help. But on the firewall, you should only be allowing inbound traffic
that you expect. Therefore, if none of the internal machines are
offering services on ports < 1024, why allow traffic in?
> Hardware firewalls do you some software for configuration but they
> also do off load some processes to hardware or inbuilt routines. Some
The "hardware" firewall would have to be fairly high-end before you see
any hardware offloading of packet processing. You certainly don't get
this functionality cheaply.
> Agreed. My argument is that pure software solutions are more open to
> hacks than hardware based solutions as their dependancies change with
> upgrading and the systems they run on can me more easily compromised
Why are you upgrading the firewall? The only time the same problem
might not exist on a "hardware" firewall is because either: you can't
upgrade it, or you don't upgrade it.
> as they are running multiple functions on a complex cpu and mixed
> hardware system. It is like protecting the president of the USA if you
Why is a dedicated Linux firewall running anything more than a
"hardware" firewall? In fact, you can lock a Linux firewall down a lot
tighter--you can completely disable remote management if you really want
to.
> > What kind of intrusion detection does your el-cheapo firewall have?
> The origianl post had a list and a url to the site. I personally don't
> use a firewall and have had no problems yet as I don't run services or
Let me help you answer the question:
Q: What kind of intrusion detection does your el-cheapo firewall have?
A: None.
> The origianl post was about a standard 486 box, not a Soekris.( which
> would cost you over $400 to buy even before you spent time loading it
> with software...once again a small firewall is cheaper).
Yes, you can buy something cheaper and far less functional. You can
also build something cheaper too. That was just an example.
> I had a friend who claimed the only reason M$ email systems had more
> viruses written for them was because more people used them, even after
> I pointed out that at the time Lotus Notes was outselling Outlook and
> had a user base in excess of 55 million users. He couldn't accept it
> was because one was more easy to exploit than the other.
In this comparison, Outlook/Exchange is recognised to be a software
suite which is known for insecure default settings, and to be
particularly vulnerable to exploitable.
What I am talking about is Linux, OpenBSD, or another free Unix-like
systems performing a dedicated firewalling function compared to a
"hardware" firewall performing the same task. Which do you think has
had more testing and code/security reviews performed on it? Which of
these has a huge wealth of experience and documentation to back it up?
Cheers,
-mjg
--
Matthew Gregan |/
/| [EMAIL PROTECTED]
