[lug] Broadband

D. Duke Smith duke at firstworld.net
Tue Aug 1 18:31:59 MDT 2000


How much is your time working on your Linux FW worth as compared
to a coiuple hundred for an external box? 

& ! Please don't disclose
your full setup. Just as the biggest security problem in a business
is internal (the guy who's about to quit), this list could be a leak.

Rule #1 of self-defense: Never let anyone find out what you know
about self defense except the hard way..

- d

"Michael J. Pedersen" wrote:
> I probably shouldn't reply to this, but I'm going to, mainly because it is
> possible to have a secure linux box on the internet, in my opinion.
> On Tue, Aug 01, 2000 at 12:27:23AM -0600, PC Drew wrote:
> > For all those who have or want cable modems or DSL, you should look
> > into using the Linksys BEFSR41 firewall instead of a computer.  Yeah,
> > it's a lot of fun to play around with Linux firewalling and such, but
> > if you want something that firewalls, does DHCP, NAT, port forwarding,
> > etc. for your network AND has a 4-port switch in it for only
> > $160...this is your product!
> All of which is available via open source solutions (ie: GPL'ed most, if not
> all, of that), which means that I don't have a need to fork out the $160 which
> you are saying I should.
> > No, this isn't an advertisement for Linksys.  I just cringe when I
> > hear about people using their linux machines to do lots of packet
> > filtering that is unnecessary.
> Except for one detail in my case: I'm doing lots of packet filtering that,
> while it may not be necessary, is good to have done. The Linux machine is my
> gateway and firewall. I'd prefer to have the firewall happening their, for
> other reasons due to my setup (I'll disclose the full setup if so desired).
> As for my packet filtering, I'm basically dropping everything from udp, tcp,
> and icmp that I don't totally need to have available. And the stuff I DO have
> available never sees unencrypted passwords gets sent. So, hacking my box will
> require something like either a buffer overflow, or the infamous ping of death
> coming back. No, I'm not susceptible to it, but that doesn't change the fact
> that those are the only two methods to gain access. Unless I write a
> particularly bad cgi script somewhere along the way.
> > Also, if you think for a second that hooking your cable modem directly
> > into your computer is safe, think again.  You've just put your
> > computer straight on the Internet for script kiddies to beat the crap
> > out of.
> You're right, of course. But, you forgot something: Dialing into the internet
> on a linux box is also unsafe. Same for dialing in with a Windows box, Solaris
> box, and every other type of box. If even one service is offered by your
> machine, no matter how obscure, you are open to attack. And, in my mind,
> responding to a ping is technically a service your machine offers.
> Security is always about what are you doing to protect yourself, AND how much
> risk is acceptable for what you have. Am I immune from attack? No, of course
> not. To believe that I am would be silly. Am I relatively safe from attack?
> Considering the following, yes I am:
> * I have a lot of hard drive space. Mailbombing me would require a large waste
>   of time on the part of the attacker to do any damage at all, and even then,
>   due to partitioning schemes, my box would not be taken down. I would only
>   have to deal with one bad mailbox, and email comes right back up.
> * I don't offer a lot of services. The ones that I do offer, I'm very
>   restrictive on. My biggest weakness? sendmail. And that's just because I'm
>   more comfortable with sendmail than with the others out there. I ONLY allow
>   secure shell connections for machine level access (ie: telnet and ftp are
>   completely removed from my machine and inaccessible). Even though Apache is
>   being run, there's not any cgi's going on (except for a custom counter I
>   wrote, which has a known weakness I'll be fixing later today. Even that
>   weakness isn't so bad, though, as it only has a race condition on it).
> * I firewall away everything that I don't like. I'm even annoying to myself,
>   in that I have to use passive ftp anywhere due to what I filter out.
> * I actually monitor this machine on almost an hourly basis, seeing what can
>   be seen in the logs. In addition, I keep up with the latest exploits, and
>   keep my software updated as needed to prevent and to patch security holes.
> Am I immune to attack? No, not by a long shot. Can I recover from it? Almost
> entirely (I'm still working out a better backup solution). In short, I'm doing
> the things that a good sysadmin has to do to protect his box. And that's what
> makes the box secure. Not whether it's commercial or not, not whether it's
> open or closed source: The sysadmin. You get a bad one, and your system WILL
> be cracked, and soon. I like to think I'm one of the better ones, in that I've
> already seen and repelled a few attackers due to these measures.
> I guess what I'm trying to say is this: Don't slam a linux firewall on the
> basis that "Since it's open source, it must be more insecure, because
> everybody can beat on it." To me, at least, it doesn't make sense.
> -----
> Michael J. Pedersen
> Get GnuPG at http://www.gnupg.org
> My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
> My GnuPG Public Key Available At: http://www.keyserver.net
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

Duke Smith
WebIQ, Ltd.
(303) 743-7213 VOX
(303) 745-4898 FAX

"Never ask a mathematician to balance your checkbook."
                         - Bubba RomDOS

More information about the LUG mailing list