Security Basics mailing list archives
RE: IPTables Based Firewall Testing
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 18 Dec 2003 11:26:37 -0800
Well said, I tip my hat to you. In your setup you've introduced more systems handling specific functions that a good firewall appliance would do in one box. Now that's not a problem if you can allocate the manpower and expertise to maintain, monitor and update those systems, constantly. In addition you can take into account the space used up by the additional equipment, maintenance contracts on the additional hardware, cooling costs and power usage and additional network load from the supplementary equipment. If we compare that to a Checkpoint solution your ROI could easily be lower. Now there are a plethora of tools out there that make managing a *NIX firewall and proxy solutions loads easier but the same can be said for the appliance solution. I personally think handling a netfilter firewall is far easier then handling a PIX but I'm sure our Cisco guys on the list could argue the other way. I tend to think of an IPTables firewall like that you can get on a Cisco Routers with the PLUS/FW/IDS IOS's trains and I think they would be pretty on par. All in all I'm a K.I.S.S. man, (Keep it simple stupid), especially when it comes to security. The more complicated your solution is, the easier for something to slip through the cracks or be overlooked. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Steve Bremer [mailto:steveb () nebcoinc com] Sent: Thursday, December 18, 2003 10:28 AM To: security-basics () securityfocus com Cc: Shawn Jackson Subject: RE: IPTables Based Firewall Testing
Really an IPTables/Netfilter equipped *NIX box is not really the best solution for any really concerned about security.
I would have to respectfully disagree. It really depends on what you're using it for. We use it in combination with application proxies running on other hosts so that traffic has to not only goes through netfilter, but the application level proxies as well. Netfilter is used to make sure the traffic must go through the application proxies and as a first layer of defense against directed attacks. I think it does a fine job at it too.
Fw on OpenBSD still runs a better, more controllable firewall but Netfilter is catching up.
This I'm not so sure about. Both have their strengths/weaknesses. PF is newer than netfilter, but does have some definite benefits (but so does Netfilter). Usually, the required features dictate which one is used where. We use it here in addition to netfilter. Comparing a IPTables/Netfilter firewall box against say a
Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard box there is no comparison. Firewall appliances usually run an extremely tightened version of NetBSD or another early BSD (like) system.
This is another one of those gray areas, but I would generally agree with you here. Checkpoint combines application proxies and packet filtering into one box, so it has definite advantages over Netfilter by itself since netfilter is a packet filter (although it does have some extensions that enable it to peek into the application layers just enough so it can handle some of the more "complex" protocols). You can lock down a *BSD or Linux box pretty tight (Watchguard is Linux based). A stripped down Openwall GNU/*/Linux box running with an RSBAC + PaX enhanced kernel makes for a pretty tight (and slim) box. This can also be done with OpenBSD as well (systrace + W^X + ProPolice can be used to achieve similar results). Unlike *NIX which can have many software packages installed
with multiple vulnerabilities. Appliances are extremely optimized to suite their task and provide smooth operations for that task while a general OS has to think of everything it *may* run.
I would generally agree with this too, but it depends on what the underlying OS is that the appliance runs on. A Cisco PIX has far less code than say an equivalent Linux or OpenBSD box/appliance. Since less code generally = less potential vulnerabilities, this is usually viewed as a benefit. If the appliance vendor has removed a lot of the unneeded functionality of a general purpose OS, that definitely helps.
We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its rock solid and extremely secure. But when you pay $80,000 bucks for a firewall you better be getting your moneys worth.
Yes indeed! :-) $$$ and available resources are a big factor in choosing. If you don't have the $$$, then it makes your choices a lot simpler. Steve Bremer NEBCO, Inc. System & Security Administrator --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)