Re: PIX/AS Vs. Linux/IPtables

[David Gillett <gillettdavid () FHDA EDU>]

  "Admin misconfigured something" and "compromise allows attacker to change
rules"
are threats -- very likely the two biggest threats to a firewall.  Assessing
a
risk involves considering not just the threat but also the probability of
its
occurrence and the damage that can result.  And since the potential damage
is the
same, it's the probability of threat "success" that is the distinguishing
factor.

  Administration of a dedicated firewall box like a PIX or ASA is all done
through
essentially one administrative platform, and the configuration can be saved
and
examined as a single file.  Administration of an iptables box involves at
minimum
both administration of the iptables configuration and of the underlying
Linux O/S.
Even though some appliance vendors may use a Linux-based kernel underneath
their
firewall, it is generally a hardened version with little or no
administrative access
provided or required.
  This doesn't directly reduce the chance of a sloppy admin fat-fingering
something
in the firewall configuration.  It DOES though minimize the chance of an
admin,
thinking about some issue besides the firewall rules, accidentally leaving
the box
open to attack.

  The above assumes that the O/S admin and the firewall admin are the same
person,
who is generally competent at both tasks.  In some organizations, they might
not be.
Even an experienced Linux admin might not be as expert at hardening a system
as the
appliance vendor's staff...

  Since iptables will run on top of a more or less generic Linux install,
there is
going to be a certain amount of economic incentive to run other applications
on the
same box.  And the implications of that are three-fold:

1.  In addition to firewall and O/S admin roles, you add application admin
roles.
Even if they are all one person, you multiply the use of administrative
access for
issues not directly relating to the firewall configuration and possibly with
unintended implications.

2.  In addition to vulnerabilities in the O/S as configured and in iptables,
you
potentially add any vulnerabilities in applications deployed to that box.
You
"increase the attack surface" of a critical security system, exposing it to
additional attack vectors.

3.  Linux, like any general purpose O/S, is designed to allow third-party
code
modules to be loaded and executed.  You hope that it will do this for
authorized
applications that you need to run.  Preventing it from loading and running
an
attacker's arbitrary code modules becomes a non-trivial exercise.
  A special-purpose O/S, or a sufficiently hardened system built on a Linux
kernel,
is designed to prevent all but tightly controlled code modules from ever
getting
a chance to execute.  That doesn't guarantee immunity from compromise, but
it
places the bar not just higher but in a completely different realm.

  My conclusion is that a Linux box running iptables represents a higher
RISK of
compromise than a dedicated appliance in the same role.  What remains is to
consider
the value of the information assets to be protected versus the costs of the
two
approaches.  For a great many organizations, the lower pricetag of iptables
is
going to outweigh any attendant increased risk.

David Gillett
CISSP CCNP