Re: Linux firewall vs Windows and Hardware based firewalls

To: Debian-User <debian-user@lists.debian.org>
Subject: Re: Linux firewall vs Windows and Hardware based firewalls
From: Jesse Meyer <meyer@btinet.net>
Date: Thu, 31 Jul 2003 13:21:23 -0500
Message-id: <[🔎] 20030731182123.GA735@ping>
Mail-followup-to: Debian-User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 1059660405.7508.472.camel@haggis>
References: <[🔎] 96F38967F729284A8B6A2CE70CF09A09150871@datcom-exchange.datcom_ho.local> <[🔎] 20030731205021.73a93433.y2kbug@ms25.hinet.net> <[🔎] 1059660405.7508.472.camel@haggis>

On Thu, 31 Jul 2003, Ron Johnson wrote:
> 
> >          Furthermore, Intel-based PCs have some well-known exploits
> > (such as buffer overflows) which are a function of the hardware and
> > there is no real cure because changing the CPU instructions would break
> > backward compatibility.
> 
> Bzzz.  Where did you hear that?
> 
> Buffer-overflows are mainly a symptom of the "C" disease, and 
> happen on ia32, Alpha, Sparc, etc.  Any arch that has a C compiler.
> 
> Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
> doesn't use the memory protection that the CPU provides are crud,
> but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
> suffer that problem.

I believe that some computer architectures can divide memory into 
'executable' and 'non-executable', thus limiting the damage a 
buffer overflow can cause.  I've never heard of this in a hardware
firewall though.

Speaking of which, hardware firewalls and routers do have security
problems, as a quick google search can show.

My personal feelings on the matter is that a hardware firewall tends to
be more compact, more efficient, and faster for some purposes.  The 
expensive routers can do complex packet filtering in custom hardware 
which would be too slow to do in software.

The cheap "firewalls" and "routers" that are used for broadband
connections tend to be set up very insecurely - allowing almost anything
out.  Plus, with uPnP support, a uPnP operating system (such as Windows
XP) is allowed to open and forward ports on the firewall without any
user notification or intervention.

Because of such concerns, for small networks, I would recommend a
low-end x86 machine with a stripped down install of linux - basically,
iptables and ssh.  For complicated routing, you'll need to bite the
bullet and buy a high-end router, which can easily end up costing tens
of thousands of dollars.  (But if you are asking what you need in this
mailing list, odds are you don't need a complicated router.)

The main security risk with a firewall is not the hardware or software,
but with the administrator - firewalls take time and knowledge to set up
and maintain.  Also, security is more then just a firewall.

~ Jesse Meyer

-- 
         icq: 34583382 / msn: dasunt@hotmail.com / yim: tsunad

   "We are what we pretend to be, so we must be careful about what we 
    pretend to be." - Kurt Vonnegut Jr : Mother Night

Attachment: pgpIQrbA69uTp.pgp
Description: PGP signature

Reply to:

References:
- Linux firewall vs Windows and Hardware based firewalls
  - From: "Andre Volmensky" <AndreV@datcom.com.au>
- Re: Linux firewall vs Windows and Hardware based firewalls
  - From: Robert Storey <y2kbug@ms25.hinet.net>
- Re: Linux firewall vs Windows and Hardware based firewalls
  - From: Ron Johnson <ron.l.johnson@cox.net>

Prev by Date: Re: Future Debian default MTA?
Next by Date: Re: kernel-source-2.5.69.tar.bz
Previous by thread: Re: Linux firewall vs Windows and Hardware based firewalls
Next by thread: Re: Linux firewall vs Windows and Hardware based firewalls
Index(es):
- Date
- Thread