Re: Linksys 4-port Router NAT/Firewall

[Michael Wojcik <Michael.Wojcik () MERANT COM>]

> -----Original Message-----
> From: Larry D'Anna [mailto:larry () pink dhs org]
> Sent: Thursday, August 24, 2000 7:32 PM

> * Litscher, Steven (Steven.Litscher () OJA STATE WI US) [000824 20:08]:
> > [using Linksys home router / NATting firewall w/ ZoneAlarm]

> As Bruce Schneier would say, security is a process, not a product.

One of the implications of this statement is that security aspects -
including risks - change over time.

> A firewall is one way to make life more difficult for an attacker, but it
> doesn't guarantee security by any means.  What does the linksys do?
> What does ZoneAlarm do?  If they are doing basicly the same things
> (and I suspect they are) and neither of them has known vulnerabilities
> then it probably doesn't matter which you use.

I humbly submit that new vulnerabilities may be found in the future in one
or the other product; hence it is probably best to continue using both.
Checking for known vulnerabilities is a good idea, but a lack of them
shouldn't be taken as evidence that no vulnerabilities exist.

Of course, it's always possible that two security products in combination
may be weaker than only one.  (Indeed, it's not even particularly unlikely.)
My sense, from evaluating the particular combination I have, is that the
whole set is stronger than any proper subset under my threat model, and that
similarly Steven would be better off keeping ZoneAlarm, since he apparently
already has it installed and working.

> All I'm trying to say is that you shouldn't think of a firewall as being
> "safe" or "unsafe" or "safe enough".  You should think of it in terms
> the specific functionality it provides.

True, but you should also consider whether overlapping functionality may
help one product cover unexpected deficiencies in another, and whether their
combination may produce an unexpected deficiency that does not exist in one
or the other used separately.

In general, I wouldn't advise retiring a level of protection merely because
it seems redundant.  Just because I have a NATting firewall router doesn't
mean I don't want to use tcp_wrappers to restrict incoming connections to my
LAN.

>  See the recent thread in
> bugtraq about using brownorrifice to totally bypass almost any
> firewall that lets web traffic through.

This is an instance where a connection-monitoring utility like ZA might (I
haven't tested it, nor researched the behavior of ZA and BrO sufficiently to
make an educated guess) provide protection against an exploit that a NATting
router would not handle.  Connector monitors are generally fairly good at
detecting network activity by trojans; external firewalls cannot do this,
except in the cases where trojan activity has a detectable signature in the
traffic itself, which are relatively rare and easy for trojan authors to
avoid.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University