On Tue, 2003-07-22 at 00:14, John Haxby wrote: > Why didn't I go for a Linux firewall? Well, two main reasons. Unless > you are already experienced in setting up Linux as a firewall you stand > a pretty good chance of getting a firewall that doesn't actually do all > that well on the stopping front. You might think it's secure, but are > you really sure? There are going to be lots of people on the list > jumping up and down saying that it's really easy to do and really easy > to get secure - but I'm paranoid. I wanted to go for a solution I could > have some faith in. There is a flip side to this argument: a good number of these off-the-shelf firewalls/routers are actually embedded Linux boxes (Linksys being one). So now what you've got is a Linux firewall that only gets occasional security updates and bugfixes (whenever Linksys or whoever decides that it's necessary) and only until the support on that device runs out. When a security hole is found (and it will be) you don't know when or even if the vendor will provide a fix. You don't know what version of the kernel is running, you don't know if it uses kernel 2.2 or 2.4 or iptables or ipchains or what web server it runs. You don't know what security holes it might have. You just have to trust the vendor. If that's acceptable (and in many cases it is) then no problem. Further, it *is* fairly easy to configure a Linux box as a firewall (albeit not as easy as plugging in an appliance). http://www.shorewall.net provides scripts, examples and advice for doing so. How can you be certain your firewall is doing its job? You can start by portscanning yourself from another location. Ask a friend to scan your IP address and see what comes up. I don't care if you buy the appliance or DIY, you need to check when you're finished. > The other reason, really the main reason, is that I wanted my firewall > to be a completely separate box from the other machines in the house. > That antique laptop I mentioned is an e-mail, DHCP, DNS and NTP server > for the other machines. It could be a firewall as well but I would > feel uneasy about it being both the barrier and containing (most) of the > stuff I want to protect. For a home PC, I don't see any problem with running the firewall on the PC itself; you don't need a dedicated box. If you do want a dedicated firewall, you can get an adequate PC for less than $20 at Goodwill, some second-hand store or even a garage sale. A P90 has *more* than enough power to be a Linux firewall. > By moving the firewall elsewhere I'm left > with a simpler system that I feel provides more security. It's just a feeling ;) Actually, I agree that simpler is usually better, but I think that there are other concerns that make this an underwhelming argument on its own. > I guess the final reason is simplcity. Actually, it underpins the > other two. The simpler a solution is, the more likely it is going to > be secure. The more complex, the more likely it is that I'm going to > get hacked. Of the people I work with, five out of six have gone down > the route of having a separate firewall -- three with the DG814, one > with a cheaper one (no switch) and one with a more expensive one (which > is very nice, but he has more money than sense :-)). Of the six of > us, one has been hacked. Admitedly only once and something easily > fixed. But guess which one. If you're protecting a *network* a separate firewall makes a lot of sense. If you're protecting a single PC, it makes sense, but less so. Your anecdote doesn't really give enough information to be convincing. Were all six of your friends running the same services (or any at all?). Did they all stay on top of OS updates? Was the one who was hacked an avid game player (leaving ports open for Q3 perhaps?) Was he running a visible web server? Without additional information the story just fails to mean much. Regards, -- Cliff Wells, Software Engineer Logiplex Corporation (www.logiplex.net) (503) 978-6726 (800) 735-0555 -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
