[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed Jul 21 18:16:07 2004 -->
- <!--x-from-r13: obo ng irelfrpheryvahk.pbz (Pbo Fbkra) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: Firewall purchase -->
- <li><em>date</em>: Wed Jul 21 18:16:07 2004</li>
- <li><em>from</em>: bob at verysecurelinux.com (Bob Toxen)</li>
- <li><em>in-reply-to</em>: <<a href="msg00199.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00073.html">[email protected]</a>> <<a href="msg00086.html">[email protected]</a>> <<a href="msg00191.html">[email protected]</a>> <<a href="msg00199.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] OT: Firewall purchase</li>
I'm sorry I've not gotten back to you sooner. I've been terribly busy
.
I really am not motivated to debate this. What I know is in my book.
I will note that a router that just does IP Masquerading (NAT'ing) or
throws away packets with the SYN bit on is not an adequate Firewall.
Any decent hacker can defeat such a device and hijack connections with
little effort.
Bob
On Wed, Jul 07, 2004 at 10:23:50AM -0400, David Hamm wrote:
> Bob,
>
> Let's turn this discussion into a debate. There's no doubt I'll loose but
> what heck I'm always up for learning new things and perhaps you can shed some
> light into areas where I am deficient in firewalling. There may also be some
> other folks on the list who find this informative.
>
> As far as I understand firewalls have two major characteristics on which
> security can be based. First is the private address scheme adhered to by the
> Internet. Since any addresses containing, 10., 192.168., or 172.16.->172.31.
> are not routed Willy Cracker must either crack the router sitting in front of
> the firewall or the firewall it self in order to establish communications
> with a host behind the firewall. An attractive feature of cheap firewalls is
> the limited amount space the hardware provides for usefull cracking tools.
> So once Willy gets in there may be no tools like tcpdump or telnet to use in
> launching an attack on the internal network. Loading tools may also present
> a problem since there is limited space.
>
> The other characteristic is discarding SYN ( or initialization packets ). By
> default most firewalls discard or ignore these requests to begin
> communications with a remote host. They only respond to ACK packets and
> perform a look up in a table to find which internal host started the
> conversation, discarding any unmatched packets.
>
> Therefore if these two characteristics function properly the difference
> between an expensive firewall and a cheap one is additional features. Port
> forwarding and IDS are not really firewalling. They are features to enable
> and monitor communications with internal hosts. Getting into this featureset
> makes the choice more subjective. Personally I will do anything I can to
> discourage port forwarding to a host on the internal network.
>
>
>
> On Wednesday 07 July 2004 12:04 am, Bob Toxen wrote:
> > On Sun, Jul 04, 2004 at 04:15:18PM -0400, David Hamm wrote:
> > > Thanks for the links and suggestions but this firewall is for a client
> > > and building a custom firewall will not be price competitive; Especially
> > > if you consider the ease of use available for $100 from Netgear and
> > > D-Link.
> >
> > A custom firewall + no break-in is cost competitive as compared to $100
> > for the Netgear toy + $50,000 to recover from the break-in.
> >
> > Bob Toxen
> > bob at verysecurelinux.com [Please use for email to me]
> > <a rel="nofollow" href="http://www.verysecurelinux.com";>http://www.verysecurelinux.com</a> [Network&Linux/Unix security
> > consulting] <a rel="nofollow" href="http://www.realworldlinuxsecurity.com";>http://www.realworldlinuxsecurity.com</a> [My book:"Real World
> > Linux Security 2/e"] Quality Linux & UNIX security and SysAdmin & software
> > consulting since 1990.
> >
> > "Microsoft: Unsafe at any clock speed!"
> > -- Bob Toxen 10/03/2002
> >
> > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > David Hamm wrote:
> > > > > Hi,
> > > > >
> > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > Netgear has
> > > > > stuff I found attractive but with no OSPF support. Moving parts (ie
> > > > > fans and
> > > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > > >
> > > > > Thanks.
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > >
> > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > edition of his book, and a Epia based fanless supersmall machine with
> > > > dual builtin NICs. His book has drop in iptables rules that are
> > > > excellent. Once you get that far then going thru the IPSEC Howto is not
> > > > too difficult. Just involves a kernel module compile and insertion.
> > > >
> > > >
> > > >
> > > > Links:
> > > > <a rel="nofollow" href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3";>http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3</a>
> > > > <a rel="nofollow" href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html";>http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>
> > > > <a rel="nofollow" href="http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html";>http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html</a> (this
> > > > is one idea)
> > > >
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00592" href="msg00592.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00073" href="msg00073.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00086" href="msg00086.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00191" href="msg00191.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> bob at verysecurelinux.com (Bob Toxen)</li></ul></li>
<li><strong><a name="00199" href="msg00199.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00577.html">[ale] /dev/ttyUSB0 question</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00579.html">[ale] Auto-mount floppy in Fedora</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00202.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00592.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00578"><strong>Date</strong></a></li>
<li><a href="threads.html#00578"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>