RE: IPTables Based Firewall Testing

["Shawn Jackson" <sjackson () horizonusa com>]

        Really an IPTables/Netfilter equipped *NIX box is not really the
best solution for any really concerned about security. Fw on OpenBSD
still runs a better, more controllable firewall but Netfilter is
catching up. Comparing a IPTables/Netfilter firewall box against say a
Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard box
there is no comparison. Firewall appliances usually run an extremely
tightened version of NetBSD or another early BSD (like) system. Unlike
*NIX which can have many software packages installed with multiple
vulnerabilities. Appliances are extremely optimized to suite their task
and provide smooth operations for that task while a general OS has to
think of everything it *may* run.

        We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its
rock solid and extremely secure. But when you pay $80,000 bucks for a
firewall you better be getting your moneys worth. Am I saying that
IPTables is bad, nope. I run it on all my DMZ hosts to protect them from
'behind-the-firewall' traffic. I personally use IPTables on a Debian box
at home as my firewall. But if I'm protecting a LAN with sensitive
information behind it, a *NIX box with IPtables is farthest from my
mind.

Note: CC'ed to sec-basic list due to relevancy.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: bob richie [mailto:bobr () rentech net] 
Sent: Wednesday, December 17, 2003 2:43 PM
To: Shawn Jackson
Subject: RE: IPTables Based Firewall Testing

Shawn, 
We have a great failover solution for IPTables.  You sound like you use
this quite a bit.  How do you feel it compares to Checkpoint?  We are
looking at running it on BladeFusion for our customers or use
SmoothWall.

Bob Richie
615-254-8324
www.rentech.net

Helping YOU do more on the WEB!

This electronic message transmission contains information from
Renaissance Application Facility which may be confidential or
privileged. The information is intended to be for the use of the
individual or entity named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited.



-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com] 
Sent: Tuesday, December 16, 2003 4:25 PM
To: Gareth Darby; security-basics () securityfocus com
Subject: RE: IPTables Based Firewall Testing


        I'd run Nessus against it to see if you get anything. Run it
against the external and internal interfaces and that should give you a
pretty good idea of your security outlook.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Gareth Darby [mailto:gdarby () aztech-communications co uk] 
Sent: Tuesday, December 16, 2003 8:02 AM
To: security-basics () securityfocus com
Subject: IPTables Based Firewall Testing



Hi, 

I was wondering what kind of processes would be involved in testing a
firewall built around IPtables.  How could you ensure that the rules are
sufficient? Is a simple port scan enough?

Gareth

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------