RE: IPTables Based Firewall Testing

["Steve Bremer" <steveb () nebcoinc com>]

>  Really an IPTables/Netfilter equipped *NIX box is not really the best
> solution for any really concerned about security. 

I would have to respectfully disagree.  It really depends on what 
you're using it for.  We use it in combination with application 
proxies running on other hosts so that traffic has to not only goes 
through netfilter, but the application level proxies as well.  
Netfilter is used to make sure the traffic must go through the 
application proxies and as a first layer of defense against directed 
attacks.  I think it does a fine job at it too.  

> Fw on OpenBSD still
> runs a better, more controllable firewall but Netfilter is catching
> up.

This I'm not so sure about.  Both have their strengths/weaknesses.  
PF is newer than netfilter, but does have some definite benefits (but 
so does Netfilter).  Usually, the required features dictate which one 
is used where.  We use it here in addition to netfilter.

 Comparing a IPTables/Netfilter firewall box against
 say a
> Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard
> box there is no comparison. Firewall appliances usually run an
> extremely tightened version of NetBSD or another early BSD (like)
> system.

This is another one of those gray areas, but I would generally agree 
with you here.  Checkpoint combines application proxies and packet 
filtering into one box, so it has definite advantages over Netfilter 
by itself since netfilter is a packet filter (although it does have 
some extensions that enable it to peek into the application layers 
just enough so it can handle some of the more "complex" protocols).

You can lock down a *BSD or Linux box pretty tight (Watchguard is 
Linux based).  A stripped down Openwall GNU/*/Linux box running with 
an RSBAC + PaX enhanced kernel makes for a pretty tight (and slim) 
box.  This can also be done with OpenBSD as well (systrace + W^X + 
ProPolice can be used to achieve similar results).

 Unlike *NIX which can have many software packages installed
> with multiple vulnerabilities. Appliances are extremely optimized to
> suite their task and provide smooth operations for that task while a
> general OS has to think of everything it *may* run.

I would generally agree with this too, but it depends on what the 
underlying OS is that the appliance runs on.  A Cisco PIX has far 
less code than say an equivalent Linux or OpenBSD box/appliance.  
Since less code generally = less potential vulnerabilities, this is 
usually viewed as a benefit.  If the appliance vendor has removed a 
lot of the unneeded functionality of a general purpose OS, that 
definitely helps.

>  We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its
> rock solid and extremely secure. But when you pay $80,000 bucks for a
> firewall you better be getting your moneys worth.

Yes indeed! :-)  $$$ and available resources are a big factor in 
choosing.  If you don't have the $$$, then it makes your choices a 
lot simpler.

Steve Bremer
NEBCO, Inc.
System & Security Administrator

---------------------------------------------------------------------------
----------------------------------------------------------------------------