Educause Security Discussion mailing list archives
Re: PIX/AS Vs. Linux/IPtables
From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 30 Sep 2009 14:23:29 -0700
"Admin misconfigured something" and "compromise allows attacker to change rules" are threats -- very likely the two biggest threats to a firewall. Assessing a risk involves considering not just the threat but also the probability of its occurrence and the damage that can result. And since the potential damage is the same, it's the probability of threat "success" that is the distinguishing factor. Administration of a dedicated firewall box like a PIX or ASA is all done through essentially one administrative platform, and the configuration can be saved and examined as a single file. Administration of an iptables box involves at minimum both administration of the iptables configuration and of the underlying Linux O/S. Even though some appliance vendors may use a Linux-based kernel underneath their firewall, it is generally a hardened version with little or no administrative access provided or required. This doesn't directly reduce the chance of a sloppy admin fat-fingering something in the firewall configuration. It DOES though minimize the chance of an admin, thinking about some issue besides the firewall rules, accidentally leaving the box open to attack. The above assumes that the O/S admin and the firewall admin are the same person, who is generally competent at both tasks. In some organizations, they might not be. Even an experienced Linux admin might not be as expert at hardening a system as the appliance vendor's staff... Since iptables will run on top of a more or less generic Linux install, there is going to be a certain amount of economic incentive to run other applications on the same box. And the implications of that are three-fold: 1. In addition to firewall and O/S admin roles, you add application admin roles. Even if they are all one person, you multiply the use of administrative access for issues not directly relating to the firewall configuration and possibly with unintended implications. 2. In addition to vulnerabilities in the O/S as configured and in iptables, you potentially add any vulnerabilities in applications deployed to that box. You "increase the attack surface" of a critical security system, exposing it to additional attack vectors. 3. Linux, like any general purpose O/S, is designed to allow third-party code modules to be loaded and executed. You hope that it will do this for authorized applications that you need to run. Preventing it from loading and running an attacker's arbitrary code modules becomes a non-trivial exercise. A special-purpose O/S, or a sufficiently hardened system built on a Linux kernel, is designed to prevent all but tightly controlled code modules from ever getting a chance to execute. That doesn't guarantee immunity from compromise, but it places the bar not just higher but in a completely different realm. My conclusion is that a Linux box running iptables represents a higher RISK of compromise than a dedicated appliance in the same role. What remains is to consider the value of the information assets to be protected versus the costs of the two approaches. For a great many organizations, the lower pricetag of iptables is going to outweigh any attendant increased risk. David Gillett CISSP CCNP
Current thread:
- PIX/AS Vs. Linux/IPtables ron behrang (Sep 29)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables HALL, NATHANIEL D. (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Justin Azoff (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Joe Vieira (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables John Ladwig (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables David Gillett (Sep 30)