[ale] OT: Firewall purchase

Bob Toxen bob at verysecurelinux.com
Wed Jul 21 18:16:07 EDT 2004 

David,

I'm sorry I've not gotten back to you sooner.  I've been terribly busy
.

I really am not motivated to debate this.  What I know is in my book.
I will note that a router that just does IP Masquerading (NAT'ing) or
throws away packets with the SYN bit on is not an adequate Firewall.
Any decent hacker can defeat such a device and hijack connections with
little effort.

Bob

On Wed, Jul 07, 2004 at 10:23:50AM -0400, David Hamm wrote:
> Bob,
> 
> Let's turn this discussion into a debate.   There's no doubt I'll loose but 
> what heck I'm always up for learning new things and perhaps you can shed some 
> light into areas where I am deficient in firewalling.  There may also be some 
> other folks on the list who find this informative.
> 
> As far as I understand firewalls have two major characteristics on which 
> security can be based.  First is the private address scheme adhered to by the 
> Internet.  Since any addresses containing, 10., 192.168., or 172.16.->172.31.  
> are not routed Willy Cracker must either crack the router sitting in front of 
> the firewall or the  firewall it self in order to establish communications 
> with a host behind the firewall.  An attractive feature of cheap firewalls is 
> the limited amount space the hardware provides for usefull cracking tools.  
> So once Willy gets in there may be no tools like tcpdump or telnet to use in 
> launching an attack on the internal network.  Loading tools may also present 
> a problem since there is limited space.
> 
> The other characteristic is discarding SYN ( or initialization packets ).  By 
> default most firewalls discard or ignore these requests to begin 
> communications with a remote host.  They only respond to ACK packets and 
> perform a look up in a table to find which internal host started the 
> conversation, discarding any unmatched packets.
> 
> Therefore if these two characteristics function properly the difference 
> between an expensive firewall and a cheap one is additional features.  Port 
> forwarding and IDS are not really firewalling.  They are features to enable 
> and monitor communications with internal hosts.  Getting into this featureset 
> makes the choice more subjective.  Personally I will do anything I can to 
> discourage port forwarding to a host on the internal network.  
> 
>  
>   
> On Wednesday 07 July 2004 12:04 am, Bob Toxen wrote:
> > On Sun, Jul 04, 2004 at 04:15:18PM -0400, David Hamm wrote:
> > > Thanks for the links and suggestions but this firewall is for a client
> > > and building a custom firewall will not be price competitive;  Especially
> > > if you consider the ease of use available for $100 from Netgear and
> > > D-Link.
> >
> > A custom firewall + no break-in is cost competitive as compared to $100
> > for the Netgear toy + $50,000 to recover from the break-in.
> >
> > Bob Toxen
> > bob at verysecurelinux.com               [Please use for email to me]
> > http://www.verysecurelinux.com        [Network&Linux/Unix security
> > consulting] http://www.realworldlinuxsecurity.com [My book:"Real World
> > Linux Security 2/e"] Quality Linux & UNIX security and SysAdmin & software
> > consulting since 1990.
> >
> > "Microsoft: Unsafe at any clock speed!"
> >    -- Bob Toxen 10/03/2002
> >
> > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > David Hamm wrote:
> > > > > Hi,
> > > > >
> > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > Netgear has
> > > > > stuff I found attractive but with no OSPF support. Moving parts (ie
> > > > > fans and
> > > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > > >
> > > > > Thanks.
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > edition of his book, and a Epia based fanless supersmall machine with
> > > > dual builtin NICs.  His book has drop in iptables rules that are
> > > > excellent. Once you get that far then going thru the IPSEC Howto is not
> > > > too difficult.  Just involves a kernel module compile and insertion.
> > > >
> > > >
> > > >
> > > > Links:
> > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html (this
> > > > is one idea)
> > > >
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list