Security Basics mailing list archives
RE: IPTables Based Firewall Testing
From: "Steve Bremer" <steveb () nebcoinc com>
Date: Thu, 18 Dec 2003 12:28:16 -0600
Really an IPTables/Netfilter equipped *NIX box is not really the best solution for any really concerned about security.
I would have to respectfully disagree. It really depends on what you're using it for. We use it in combination with application proxies running on other hosts so that traffic has to not only goes through netfilter, but the application level proxies as well. Netfilter is used to make sure the traffic must go through the application proxies and as a first layer of defense against directed attacks. I think it does a fine job at it too.
Fw on OpenBSD still runs a better, more controllable firewall but Netfilter is catching up.
This I'm not so sure about. Both have their strengths/weaknesses. PF is newer than netfilter, but does have some definite benefits (but so does Netfilter). Usually, the required features dictate which one is used where. We use it here in addition to netfilter. Comparing a IPTables/Netfilter firewall box against say a
Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard box there is no comparison. Firewall appliances usually run an extremely tightened version of NetBSD or another early BSD (like) system.
This is another one of those gray areas, but I would generally agree with you here. Checkpoint combines application proxies and packet filtering into one box, so it has definite advantages over Netfilter by itself since netfilter is a packet filter (although it does have some extensions that enable it to peek into the application layers just enough so it can handle some of the more "complex" protocols). You can lock down a *BSD or Linux box pretty tight (Watchguard is Linux based). A stripped down Openwall GNU/*/Linux box running with an RSBAC + PaX enhanced kernel makes for a pretty tight (and slim) box. This can also be done with OpenBSD as well (systrace + W^X + ProPolice can be used to achieve similar results). Unlike *NIX which can have many software packages installed
with multiple vulnerabilities. Appliances are extremely optimized to suite their task and provide smooth operations for that task while a general OS has to think of everything it *may* run.
I would generally agree with this too, but it depends on what the underlying OS is that the appliance runs on. A Cisco PIX has far less code than say an equivalent Linux or OpenBSD box/appliance. Since less code generally = less potential vulnerabilities, this is usually viewed as a benefit. If the appliance vendor has removed a lot of the unneeded functionality of a general purpose OS, that definitely helps.
We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its rock solid and extremely secure. But when you pay $80,000 bucks for a firewall you better be getting your moneys worth.
Yes indeed! :-) $$$ and available resources are a big factor in choosing. If you don't have the $$$, then it makes your choices a lot simpler. Steve Bremer NEBCO, Inc. System & Security Administrator --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)