[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux firewall vs Windows and Hardware based firewalls

On Thu, 31 Jul 2003, Ron Johnson wrote:
> >          Furthermore, Intel-based PCs have some well-known exploits
> > (such as buffer overflows) which are a function of the hardware and
> > there is no real cure because changing the CPU instructions would break
> > backward compatibility.
> Bzzz.  Where did you hear that?
> Buffer-overflows are mainly a symptom of the "C" disease, and 
> happen on ia32, Alpha, Sparc, etc.  Any arch that has a C compiler.
> Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
> doesn't use the memory protection that the CPU provides are crud,
> but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
> suffer that problem.

I believe that some computer architectures can divide memory into 
'executable' and 'non-executable', thus limiting the damage a 
buffer overflow can cause.  I've never heard of this in a hardware
firewall though.

Speaking of which, hardware firewalls and routers do have security
problems, as a quick google search can show.

My personal feelings on the matter is that a hardware firewall tends to
be more compact, more efficient, and faster for some purposes.  The 
expensive routers can do complex packet filtering in custom hardware 
which would be too slow to do in software.

The cheap "firewalls" and "routers" that are used for broadband
connections tend to be set up very insecurely - allowing almost anything
out.  Plus, with uPnP support, a uPnP operating system (such as Windows
XP) is allowed to open and forward ports on the firewall without any
user notification or intervention.

Because of such concerns, for small networks, I would recommend a
low-end x86 machine with a stripped down install of linux - basically,
iptables and ssh.  For complicated routing, you'll need to bite the
bullet and buy a high-end router, which can easily end up costing tens
of thousands of dollars.  (But if you are asking what you need in this
mailing list, odds are you don't need a complicated router.)

The main security risk with a firewall is not the hardware or software,
but with the administrator - firewalls take time and knowledge to set up
and maintain.  Also, security is more then just a firewall.

~ Jesse Meyer

         icq: 34583382 / msn: dasunt@hotmail.com / yim: tsunad

   "We are what we pretend to be, so we must be careful about what we 
    pretend to be." - Kurt Vonnegut Jr : Mother Night

Attachment: pgp7gX1jmm13C.pgp
Description: PGP signature

Reply to: