Re: Should I propose a Debian Firewall?
Paul M Sargent wrote:
>
> Hi all,
>
> I just subscribed to the list, so please excuse me if I'm making a huge faux
> par here.
>
> Where I work we currently have a Commercial packet Firewall which is
> starting to show problems. The major one is that it has a limited user
> license and we outgrew it a long time ago. It's long gone the time that we
> should have replaced it.
>
> I am debating wether to propose a Linux (probably Debian, I like the
> maintainability of it) based firewall, but I can guess the concerns about
> security. That is why I'm here.
>
> <flame retardant suit on>
> Does a Linux based firewall come up to scratch when compared to a Commercial
> one? Are there issues I should know about?
> <suit off>
<me too ?>
In my opinion YES. My company is selling Debian-based firewalls (I have
just a project with 12-port firewall running) and our customers are very
happy with them.
The product will be named Gibraltar, but at the moment there is no
installation procedure and no real configuration environment. I just
started playing with package configurations to get a tight firewall
systems.
Two packages that were created for Gibraltar are already in the main
Debian distribution: logcheck and pptpd (I am the maintainer).
> Obviously there are lots of great things about having your security under
> pulic review (fast fixes, tried and tested systems, etc). I just want to
> know, before I stick my neck out, is there anything I could get shot down
> for.
This is the main reason why I use Linux: The public review.
> As far as my limited understanding goes, I can't see things getting much
> more secure than a Linux box with just the kernal (configured for masq and
> firewalling), a few network tools (route, ipchains) and a shell. No other
> services on the box.
True. Our firewalls only have two ports open: the SSH port for
administration and the HTTPS port for getting traffic information from
it (nice GIFs created by ipac). BTW, does anybody know a really small
web server for linux that has SSL support. It should be really small,
just SSL and user authentication (plain passwords are enough when going
over SSL).
All other ports are set to deny and logging.
There is only one problem compared to the commercial firewalls:
administration interface.
With Linux you are on your own at the moment (although I am working on
designing a tool for configuring the network and firewalling rules). I
recommend the use of ifup/ifdown commands in Debian netbase and fwctl (a
Debian package too) for firewalling rules. If you want to use advanced
routing features of the 2.2.x kernel, you can do so by putting the ip
commands in the /etc/network/interfaces file, but you have to use the ip
syntax. No config tool for this.
> Am I thinking in the right way?
Definitely !
> It's then just a matter of what you allow...right?
Sure.
Summary: I think (this is only my personal opinion, vendors of
commercial firewalls may have other opinions) that Linux can be as
secure as commercial firewalls are. This can be achieved with only the
standard set of programs and a stock Linux kernel > 2.2.x (because of
the advanced features I recommend 2.2.x over 2.0.x).
The main disadvantage is the configuration (no nice Windows programs to
do it with drag and drop).
Feel free to ask me details about implementations of specific features.
greets,
Rene
Reply to: