[ale] OT: Firewall purchase

Christopher Fowler cfowler at outpostsentinel.com
Thu Jul 22 12:58:31 EDT 2004


Maybe we should turn this into an educational discussion and talk about
ways to harden a Linux box being used as a firewall and make it immune
to the type of attacks listed in this thread.

On Thu, 2004-07-22 at 12:44, Jonathan Rickman wrote:
> > > > > > A custom firewall + no break-in is cost competitive 
> > as compared 
> > > > > > to $100 for the Netgear toy + $50,000 to recover from 
> > the break-in.
> > > This is FUD without some evidence or logical explanation and not a 
> > > remark I'd expected from a professional security expert.  A debate 
> > > would have provided an opportunity to recover from this remark.
> > Calling my advice FUD is disappointing.  However, for the 
> > evidence enter
> > 
> >      connection hijack
> > 
> > into Google and read some of the 74,000 entries on connection 
> > hijacking, which is how to break through a NAT'ing (and other 
> > firewalls).  Some of the hits are unrelated to the topic but 
> > there are many, many that are.
> 
> 
> I think everyone needs to take a step back and look at what you are
> discussing.
> 
> The NAT issue-
> NAT alone is subject to hijacking attacks and sophisticated spoofing attacks
> leading to the exposure of systems behind it, though in practice, neither
> are trivial to accomplish and require a certain measure of expertise. NAT
> will protect you from the casual interloper and the neverending stream of
> automated exploits in worm format that seem to have become so common that we
> now consider them background noise. The problem is that within that
> background noise there is the chatter of fingers typing furiously at the
> keyboard. These little fingers are connected to devious minds who have the
> skill and knowledge to use the aforementioned techniques to waltz right into
> your network. There...that's the NAT issue in a nutshell.
> 
> The FUD issue-
> I think the term FUD was tossed out rather hastily, and frankly I'm not sure
> what NAT had to do with it in the first place as the Netgear device
> mentioned before Bob's post (FVS318) does stateful inspection and therefore
> is not subject to the same form of atttacks as a NAT only device. Now, I'm
> not recommending this box for a business network by any means, but the mere
> presence of the thing is not going to automatically mean that the network is
> insecure. Maybe there was a teeny bit of merit to the FUD comment based on
> this, but I'm inclined to think it was driven more by emotion than reason. 
> 
> The REAL issue-
> Security is a process, not a product...period. The most secure products in
> the world are nothing without a secure process by which to implement them.
> The most insecure products in the world can be made reasonably secure
> through secure processes. Witness the fact that I have never had an IIS
> server that I personally configured broken into. Does that mean that IIS
> should be considered a security panacea? Some might say yes, others would
> start "product bashing" rather than "process praising." Both would be wrong.
> Some would suggest that I have just been lucky. Frankly, I would not take
> offense at that type of thing, nor would I reconsider my position due to the
> comments. Software packages, hardware devices, and everything in between are
> nothing more than tools that are there to perform certain tasks. The use, or
> lack thereof, of a specific product does not automatically mean that a
> system is secure or insecure. A Volvo may be a safe automobile that has a
> greater ability to protect the passengers in the even of a crash, but if it
> is running on bald tires with busted headlights on a rainy night...it is
> also more likely to end up in the crash to begin with. Meanwhile, the guy in
> the Ford Pinto drives by wondering what happened to that guy in the wrecked
> Volvo, and continues on his merry way. He has already forgotten that the
> driver of the Volvo made a passing remark to him earlier in the Home Depot
> parking lot about how unsafe Ford Pintos were in an accident while
> mentioning that he was a Volvo owner, in a snobbish tone.
> 
> In closing, this discussion could use a lot less heat and a lot more light. 
> 
> --
> Jonathan "Who normally loves a good flamewar" Rickman
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list