[lug] Firewall != Linux, Was -> Broadband

rm at mamma.varadinet.de rm at mamma.varadinet.de
Tue Aug 1 15:16:25 MDT 2000

On Tue, Aug 01, 2000 at 02:44:04PM -0600, Chris M wrote:

> Bunk.
> I've seen plenty of cracked Linux boxes at the sites of people who should
> know better. People I might even hire someday.

And why was that so? Because of a glitch/bug in the Linux code?
Or because of wrong/stupid firewall rules? As i said, security
is a complicated mixture of hard/software and rules how to behave.
I _have_ spent quite a lot of time talking to customers about security
during the last year (developing a (linux based) gateway). Most (if not
all) customers had a rather naive concept of network security. The
general idea was "let's buy some hardware that'll solve this problem"
instead of "let's think for a moment where our vulnerabilities are ".
A Linux box just won't do it (but i doubt a CISCO/Watchguard/UnameIt
will do either).

> > BTW, having the source code isn't really a valid argument against
> > Linux _based_ firewalls. It works in both directions: yes, crackers
> > can scan for problematic spots, but so can all the Linux programers.
> >> From a statistical point of view this definitely makes Linux more
> > secure. 
> More secure than what?  Than a commercial firewall that has no publicly
> available source code to find exploits in?  Try again.

I consider this a myth. First of all, as was allready said on this
list, most of todays firewall are based on readily available source
code. Second, and more important, the availability of source code
might make things harder but not too much. Quite a lot of the firewalls
i'Ve seen open are Intel-based, and nothing hinders a dedicated person
to fire up his/her disassembler and look at the code. Finding a possible
buffer overflow isn't really _that_ hard (actually, it's sometimes
more easy ;-)

> > If you don't belive me, look at the average bugfix time
> > for Linux kernel security bugs and for kernel security bugs on firewalls.
> Look at the number of known exploits for Linux, and compare it to a Cisco
> PIX. Really, write the numbers down on paper.

Exploits for Linux systems are known early and are published even by
the developing comunity. This is not the case with commercial products.
The fact that CISCO doesn't run arround telling you about expoits doesn't
mean that there aren't any (i have worked enough with 'the guys from
marketing' ...).
Also, don't forget that it might be more likely that a Linux
user will at some point find out about a hacker ('why the heck is
my network load so high?')  while on a hacked proprietary box nobody
will realize it.

> There, we're done.
> > 
> >> If you aren't running a "real" firewall (and we could debate ad
> >> infinitum how real Linksys is) then you are probably exposed.
> >> Period.  We recommend an external appliance, maybe the Linksys fits
> >> your requirements, maybe Watchguard or Sonicwall does.
> > 
> > 
> >>> [...]
> >> You could go for another 15 minutes and people will still think that
> >> their Linux box is a great firewall and how could they possibly be a
> >> victim.
> > 
> > This really depends on who set up the box. Chances are high that
> > whoever sets up a private security gateway isn't as experienced
> > as someone who works for watchguard etc.
> Chances?  Chances?  Who wants to be taking *chances* where security is
> concerned? *Especially* high ones. :)

I never suggested that. I just think you blame breakins on Linux where
i would blame it on the ignorance or unability to juge their network
security understanding of the local sysadmin.

> > 
> >> *None* of our customers running a commercial firewall have been
> >> hacked.  Plenty of Linux customers have.
> > 
> > Hmmm, that doesn't prove anything. In my experience the people
> > who are willing to spend a lot of money on a 'real' firewall
> > have a reason for doing so. Therefore their whole attitude towards
> > security is different. Comparing the final result (been hacked vs.
> > not hacked) and claiming the difference on the teeny piece of hard-
> > ware inbetween the external and the internal net is a gros over-
> > simplification. 
> No, it's real empirical data.  Not a gross economic projection in an attempt
> to disprove real empirical data with mere sociological/cultural hand waving.

So you are saying that you have customers who spent a significant
amount of money (you get quite a lot of consulting for the price
of a firewall-1 ...) for a Linux firewall and still where hacked?
That _is_ interessting. What sort of exploits did they experience?

> > A firewall is an important part of an overall
> > security concept, but only a complex system of hardware, software,
> > constant monitoring and training of everone working with the net
> > will make a site secure. Most incidents i have heard of recently
> > where caused by malicious code executed on a client from within
> > the private net--something even the best firewall can't stop.
> > 
> > Ralf
> You can tell you aren't a service provider, and that you spend more time
> maintaining your own LAN than other people's.  You're missing that whole
> real world piece of the pie.

Hmm, quite a lot of my boxes are out in the real world, doing their job.
I would claim that they can substitute for a 'real' firewall, but i 
think they give the 'normal' user quite some security. I see the difference
more in the customizability (is this a word?). One way i try to make our
boxes secure is by keeping the customer from doing all sorts of 'silly'
things (the fact that someting is possible with Linux doesn't mean that
it's a particullary good idea). So there is no port forwarding, icmp
masquerading, NetMeeting support etc. 
But, again, i don't think that this alone makes a net secure. I had
long phone converstions with customers who wanted our box to agressively
scan and modify incomming email so to stop workers of sending themself (!)
programs from the internet--after a while it turned out that every single
user was running an unrestricted web browser .... Those aren't firewall
(or OS) problems, this is just the lack of knowloege on the admin side
(and this is something i really blame Microsoft for: everything is point-
and-click so everyone with some mouse experience considers him/herself
an expert).

> Without a firewall, it really doesn't matter what else you do, you've left
> the door open.  It's like the lottery, your chances to win increase an
> infinite amount when you buy one lottery ticket instead of zero.

Oh, i agree on that! But that wasn't the discusion, or? This was
Linux vs. proprietary systems.


> Chris
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list