Vulnerability Development mailing list archives
Dedicated vs "shared use" firewalls
From: forrestc () IMACH COM (Forrest W. Christian)
Date: Thu, 24 Feb 2000 22:18:42 -0700
I hope this is the right forum for this, but what brought this up was the entire Raptor discussion. The way I understand raptor is that it is code that runs on NT. This makes me really queasy for reasons to be discussed below. When I recommend a firewall solution, the core of the recommendation is that the firewall run on hardware which is dedicated to the firewall and that all non-firewall network functionality is either disabled or removed. I personally usually recommend a FreeBSD-based NAT/ipfw solution which I have developed if cost is a concern to the user. I have also recommended Cisco PIX and several other options for larger clients. I worry about firewall solutions which are generally implemented on systems which themselves may or may not be secure. For example, some of the solaris/unix-based firewalls make me nervous because people tend to run them on the same solaris box they have web, mail, and other solutions on. I worry along the same lines about any NT solutions as I do not feel secure about the underlying NT os architecture and the services which may be running on an NT box. I'm also paranoid enough that I usually will either restrict administrative access to the firewall to "physical connectivity"- ala the console or console port, or via a very very strict set of ips. If I can't restrict the IP range, or at least restrict it to "inside" users, I do not enable the telnet service. Thus insuring that in most cases at least the administrative part of the firewall won't be compromised. In the FreeBSD solution I sell, I run a very stripped down kernel (actually PicoBSD) which has very very little stuff in it. In fact, the box doesn't have any open, listening IP ports. So, maybe to draw this to a close and to ask my real question here I can just say this: I am certain that the security of the underlying OS/security of the configuration of the underlying system is VERY important to the security of the firewall. So, that said, is it possible that NT (or pick any OS) based-firewalls are generally less secure than say, a PIX box, because the underlying OS is inherrently less secure? Does anyone have any data (or real life experience) to back this up? Does the tendency of NT to install/enable services "by itself" pose a real security threat? Or, maybe better put, what seems to be the consensus on firewalls running on any given OS (as opposed to a certain firewall product)? - Forrest W. Christian (forrestc () imach com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ----------------------------------------------------------------------
Current thread:
- office 2k security bug?, (continued)
- office 2k security bug? Torgeir Hansen (Feb 22)
- R: office 2k security bug? Raistlin (Feb 23)
- Fwd: ANNOUNCEMENT: Lighting Firewall for Linux released Grzegorz Stelmaszek (Feb 23)
- office 2k security bug? Torgeir Hansen (Feb 22)
- Re: Information on Raptor James Crooks (Feb 21)
- Re: Information on Raptor David J Laumann (Feb 21)
- Re: Information on Raptor Marcelo Amaral - ALTAVISTA.NET (Feb 21)
- Re: Information on Raptor CL: Nelson, Jeff (Feb 24)
- Re: Information on Raptor IC&S - Eelco van Beek (Feb 25)
- Re: Information on Raptor Daniel Liebster (Feb 25)
- Re: Information on Raptor Ben Grubin (Feb 24)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Buffer overflows on Netware 4x and 5x Roland Kool (Feb 28)
- Re: Dedicated vs "shared use" firewalls Anton J Aylward, CISSP (Feb 28)
- Dedicated vs "shared use" firewalls Forrest W. Christian (Feb 24)
- Re: Information on Raptor Crother, Mark (Feb 24)