[ale] stateful firewall?

John Wells jbwellsiv at yahoo.com
Thu Oct 18 07:40:07 EDT 2001


Thanks for everyone's input on this subject.  I
thought the blanket statement might ruffle some
feathers.  I only wish I had known enough about the
subject at the time for a quick rebuttal ;-).

I forwarded the messages to our net admin (who reports
to the gentleman who spewed the BS) and his decision
is to go ahead with iptables.  Corporate seems to have
been promising this Solaris box for months now so
we're going to go with the Linux box at least for the
interim (corporate is a little anal when it comes to
putting their "standard solutions" in place).

Anyway, thanks for the great info.  At least now I can
play with ipchains/iptables on company time ;-).  

By the way, the firewall software corporate has deemed
standard is indeed Checkpoint Firewall-1...you were
right on the money.

John

--- "Stephen J. Pellicer" <spellicer at itillious.com>
wrote:
> I'm a little late to this conversation, but I was
> out of town :)
> 
> > I've been working for the past day or so on
> setting up
> > ipchains to use as my company's firewall.  Then
> the
> > one of our senior IT guys came by and said "Linux
> > boxes don't make firewalls.  They make good
> proxies,
> > but not firewalls.  Linux has no stateful
> firewalls".
> 
> This type of stuff is what made me jump in. I agree
> with the statement made
> by someone else about this being a buzzword/FUD type
> of statement. There's
> way too much marketese in that type of statement.
> The lines between these
> technologies continues to blur, but this statement
> is erroneous even if you
> take the conservative definitions of these styles of
> firewalling. ipchains
> from previous generations were somewhat stateful and
> continue to become more
> so with the latest iptables/netfilter
> implementations. Both use hybrid
> packet inspection + state types of approaches with
> iptables/netfilter being
> very explicit about the technique. Additionally,
> with user space queueing
> and work going on in that area, more flexible almost
> proxy like integration
> with the stateful + packet inspection approach is
> possible. With ipchains,
> many custom modules were implemented to extend the
> inspection and state
> mechanisms into custom application layer
> understanding for services like
> ftp, real audio, and h.323.
> Most supposed "stateful firewalls" today also employ
> hybrid techniques
> including traditional proxy and generic packet
> filter technology. Checkpoint
> Firewall-1 (probably one of the biggest companies
> responsible for the knee
> jerk marketing like response like the statement made
> by your IT guy above)
> uses a hybrid approach employing stateful
> inspection, proxies and their
> "Fastmode" options reduce the stateful inspection to
> simple packet
> filtering. Plus, they make a version that runs on
> Linux :).
> 
> > Ok.  I'm a programmer, not an IT OP guy, but I'm
> one
> > of the few people around here who know *nix (we're
> > primarily a windows shop).  One of the things I
> and a
> > few other developers around here have been trying
> to
> > do is make as many excuses for Linux boxes as
> > possible.  The senior IT guy wants us to wait for
> a
> > Solaris box from corporate.
> 
> The Solaris box will employ similar techniques found
> elsewhere. If it will
> employ a commercial "Stateful Firewall" on the box,
> there are similar
> offerings found on Linux. Sun used to OEM Checkpoint
> Firewall-1 on their
> Solaris boxes. A product available for Linux as well
> as stated before.
> 
> > I know in Bob Toxen's book it's mentioned that the
> 2.4
> > kernel provides a stateful firewall capability
> called
> > NETFILTER.  Has anyone had any experience with
> this?
> > Good/bad?  Is it stable enough to use in a
> production
> > environment?
> 
> If you're worried about the stability of the
> netfilter/iptables stuff, you
> can always use ipcahins from previous versions. I
> like netfilter/iptables a
> lot. Haven't had problems with it. I'm not sure of
> track records in large
> volume environments though. Bob would probably know
> more about that.
> 
> > If it is stable enough, we have installed RH 7.1,
> > which uses the 2.4, so we're good to go.  However,
> the
> > IT guy also seems to think that all linux
> > distributions have too many holes (with the
> exception
> > of the NSA's distribution, which he mentioned in
> > passing).  It was my impression that I could
> disable
> > pretty much every service on the box (with the
> > exception of those that *have* to be running to
> > function as a firewall) and we'd be pretty secure.
>  Is
> > this not the case?
> 
> Linux and its distributions are like any other
> operating system. They need
> to be hardened and patched and maintained. This
> statement is utterly
> rediculous placed next to the statements regarding
> waiting for a Solaris box
> from corporate. Solaris has holes. AIX has holes.
> They all have holes. This
> guy name dropping the NSA distribution is also
> misleading. I don't believe
> the NSA has a distribution. The work he is referring
> to is probably the work
> being done surrounding an NSA Linux kernel and
> supporting tools. This is
> mainly implementation of Mandatory Access Controls
> within the kernel. This
> has more to do with total host security than network
> gateway security. While
> this would help harden your firewall if configured
> correctly, it would do
> little to nothing to help you with the network
> traffic passing through.
> Also, you'd still drop it into a standard
> distribution or some hand rolled
> distribution. I might be wrong on the NSA not having
> a complete distro, but
> at this point I'm more inclined to disagree with
> this IT guy ;).
> 
> > Ok, final question.  Assuming NETFILTER is *not*
> ready
> > for production, are there any open source stateful
> > firewalls that are?
> 
> Most open source firewalls are leveraging the
> netfilter/iptables or ipchains
> underlying technology. Even commercial firewall
> vendors seem to employ it.
> Watchguard Fireboxes are based on (or at least used
> to be based on, I
> haven't kept up with them as much) the kernel
> components. Stonebeat seems to
> be employing their own tech on top of the linux
> kernel but it seems like
> it's just a regular implementation of
> netfilter/iptables for the actual
> packet handling (their marketing material makes it
> sound like otherwise, but
> I'm not sure). Checkpoint Firewall-1 uses their own
> kernel modules and don't
> use the built in Linux pieces.
> 
> The technology in Linux for firewalling is similar
> to any of the other
> approaches out there just like the other approaches
> out there being similar
> to each other. None of them set themselves up. They
> all need planning,
> vigilence, and skill for installation and
> configuration. I'd trust a network
> to a correctly configured packet filter on a $500
> router over an incorrectly
> configured $150,000 commercial system on a $50,000
> hardware firewall
> appliance any day.
> 
> This IT guy makes some pretty bold statements. They
> tick me off, but most of
> what I said is pretty must raw info.
> 
> Stephen
> 


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list