Vulnerability Development mailing list archives
Re: Linksys 4-port Router NAT/Firewall
From: Michael Wojcik <Michael.Wojcik () MERANT COM>
Date: Fri, 25 Aug 2000 08:56:23 -0700
-----Original Message----- From: Larry D'Anna [mailto:larry () pink dhs org] Sent: Thursday, August 24, 2000 7:32 PM
* Litscher, Steven (Steven.Litscher () OJA STATE WI US) [000824 20:08]:[using Linksys home router / NATting firewall w/ ZoneAlarm]
As Bruce Schneier would say, security is a process, not a product.
One of the implications of this statement is that security aspects - including risks - change over time.
A firewall is one way to make life more difficult for an attacker, but it doesn't guarantee security by any means. What does the linksys do? What does ZoneAlarm do? If they are doing basicly the same things (and I suspect they are) and neither of them has known vulnerabilities then it probably doesn't matter which you use.
I humbly submit that new vulnerabilities may be found in the future in one or the other product; hence it is probably best to continue using both. Checking for known vulnerabilities is a good idea, but a lack of them shouldn't be taken as evidence that no vulnerabilities exist. Of course, it's always possible that two security products in combination may be weaker than only one. (Indeed, it's not even particularly unlikely.) My sense, from evaluating the particular combination I have, is that the whole set is stronger than any proper subset under my threat model, and that similarly Steven would be better off keeping ZoneAlarm, since he apparently already has it installed and working.
All I'm trying to say is that you shouldn't think of a firewall as being "safe" or "unsafe" or "safe enough". You should think of it in terms the specific functionality it provides.
True, but you should also consider whether overlapping functionality may help one product cover unexpected deficiencies in another, and whether their combination may produce an unexpected deficiency that does not exist in one or the other used separately. In general, I wouldn't advise retiring a level of protection merely because it seems redundant. Just because I have a NATting firewall router doesn't mean I don't want to use tcp_wrappers to restrict incoming connections to my LAN.
See the recent thread in bugtraq about using brownorrifice to totally bypass almost any firewall that lets web traffic through.
This is an instance where a connection-monitoring utility like ZA might (I haven't tested it, nor researched the behavior of ZA and BrO sufficiently to make an educated guess) provide protection against an exploit that a NATting router would not handle. Connector monitors are generally fairly good at detecting network activity by trojans; external firewalls cannot do this, except in the cases where trojan activity has a detectable signature in the traffic itself, which are relatively rare and easy for trojan authors to avoid. Michael Wojcik michael.wojcik () merant com MERANT Department of English, Miami University
Current thread:
- Linksys 4-port Router NAT/Firewall Litscher, Steven (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Larry D'Anna (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall David Knaack (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Bluefish (P.Magnusson) (Aug 25)
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 24)
- Re: Linksys 4-port Router NAT/Firewall Jonathan Rickman (Aug 24)
- <Possible follow-ups>
- Re: Linksys 4-port Router NAT/Firewall Michael Wojcik (Aug 25)
- Re: Linksys 4-port Router NAT/Firewall Ed Padin (Aug 25)
- Message not available
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 26)
- Message not available
- Re: Linksys 4-port Router NAT/Firewall Dragos Ruiu (Aug 26)