[ale] OT: Firewall purchase

David Hamm ale at spinnerdog.com
Wed Jul 7 10:25:44 EDT 2004 

Bob,

Let's turn this discussion into a debate.   There's no doubt I'll loose but 
what heck I'm always up for learning new things and perhaps you can shed some 
light into areas where I am deficient in firewalling.  There may also be some 
other folks on the list who find this informative.

As far as I understand firewalls have two major characteristics on which 
security can be based.  First is the private address scheme adhered to by the 
Internet.  Since any addresses containing, 10., 192.168., or 172.16.->172.31.  
are not routed Willy Cracker must either crack the router sitting in front of 
the firewall or the  firewall it self in order to establish communications 
with a host behind the firewall.  An attractive feature of cheap firewalls is 
the limited amount space the hardware provides for usefull cracking tools.  
So once Willy gets in there may be no tools like tcpdump or telnet to use in 
launching an attack on the internal network.  Loading tools may also present 
a problem since there is limited space.

The other characteristic is discarding SYN ( or initialization packets ).  By 
default most firewalls discard or ignore these requests to begin 
communications with a remote host.  They only respond to ACK packets and 
perform a look up in a table to find which internal host started the 
conversation, discarding any unmatched packets.

Therefore if these two characteristics function properly the difference 
between an expensive firewall and a cheap one is additional features.  Port 
forwarding and IDS are not really firewalling.  They are features to enable 
and monitor communications with internal hosts.  Getting into this featureset 
makes the choice more subjective.  Personally I will do anything I can to 
discourage port forwarding to a host on the internal network.  

 
  
On Wednesday 07 July 2004 12:04 am, Bob Toxen wrote:
> On Sun, Jul 04, 2004 at 04:15:18PM -0400, David Hamm wrote:
> > Thanks for the links and suggestions but this firewall is for a client
> > and building a custom firewall will not be price competitive;  Especially
> > if you consider the ease of use available for $100 from Netgear and
> > D-Link.
>
> A custom firewall + no break-in is cost competitive as compared to $100
> for the Netgear toy + $50,000 to recover from the break-in.
>
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security
> consulting] http://www.realworldlinuxsecurity.com [My book:"Real World
> Linux Security 2/e"] Quality Linux & UNIX security and SysAdmin & software
> consulting since 1990.
>
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
>
> > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > David Hamm wrote:
> > > > Hi,
> > > >
> > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > Netgear has
> > > > stuff I found attractive but with no OSPF support. Moving parts (ie
> > > > fans and
> > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > >
> > > > Thanks.
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > Look at building it yourself using Slackware, Bob Toxen's second
> > > edition of his book, and a Epia based fanless supersmall machine with
> > > dual builtin NICs.  His book has drop in iptables rules that are
> > > excellent. Once you get that far then going thru the IPSEC Howto is not
> > > too difficult.  Just involves a kernel module compile and insertion.
> > >
> > >
> > >
> > > Links:
> > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html (this
> > > is one idea)
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list