Router/Firewall Recommendation
Otto Haliburton
ottohaliburton at comcast.net
Thu Jun 24 06:34:19 UTC 2004
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Rodolfo J. Paiz
> Sent: Thursday, June 24, 2004 12:28 AM
> To: General Red Hat Linux discussion list
> Subject: RE: Router/Firewall Recommendation
>
> At 10:48 AM 6/23/2004, Otto Haliburton wrote:
> >A hardware firewall is practically
> >inpenetratable because the outside world never knows the ip address of
> >computers behind the firewall, were as the first level is penetrated
> >automatically by a none hardware firewall, you have to think about this a
> >little to get what I mean.
>
> Otto, your thoughts are well-reasoned but totally wrong, since you think
> of
> a "hardware" firewall as something made of brick with no holes.
>
> All "hardware" firewalls (all of them, no matter how cheap or expensive or
> anything) run software inside them! All of them. Cisco, Firewall/1,
> Linksys, Netgear... all of them. It just happens that the code is:
>
> a) embedded in firmware, so no hard drive or moving parts (good)
>
> b) hidden from you, so you cannot know if there are any mistakes
> in the code (bad)
>
> c) not accessible to you, so you cannot make changes (bad)
>
> Note specifically that some Linksys router/firewalls run on Linux, as does
> Firewall/1 if I recall correctly. There is *always* code and software, and
> the hardware firewalls are *not* impenetrable. In fact IIRC nearly every
> (perhaps every?) major firewall maker of any type has had vulnerabilities
> discovered and exploited in their devices. No code is perfect, no firewall
> is perfect.
>
> All machines can be hacked, and if your Linksys is ever
> hacked/cracked/exploited you'll NEVER KNOW IT. And if there *is* a
> vulnerability discovered, and publicized, and Linksys (or whomever)
> chooses
> not to fix or to delay fixing that hole then there's nothing you can do
> about it.
>
> Please don't take this to mean that I think those little blue boxes are
> bad... oh no, not at all. I rather like them, and in fact I have
> recommended them to a few dozen people. They work and they generally do so
> pretty well. For some people, in some cases. Linux or other good software
> firewalls also work and work well, usually for different people in
> different circumstances. All I mean to do is to thoroughly cast out those
> demons who whisper impenetrability in your ear.
>
> As for the "first level is penetrated automatically" thing, well...
> bullshit. Sorry to be so direct, but I challenge you or anyone to setup a
> hardened Linux firewall with NAT or masquerading and proper controls and
> "penetrate" the thing in any way. NAT and masquerading are great things.
> They work well. But they are not the only things, and they are not perfect
> things. Multiple layers of defense always, multiple tools, and the
> reasonable understanding of the pros/cons of each approach.
>
> Cheers,
>
>
Well, I guess the theory behind NAT is really simple and penetration is very
simple then, but I don't think so. The first level is penetrated
automatically is a way of saying 'defeat the OS and you're in the world' and
that ain't no bullshit cause that is exactly what happens when you are
hacked. You don't try to penetrate the defense, you penetrate the OS then
shutdown the defense, get it. With the little blue box as you call it. If
it fails then the network is lost period because all ip's are lost. The
fact that the computers ip addresses are translated causes the hacker all
kinds of problems. The problem with the routers has been improper setup of
the ports and therefore being penetrated, but that is easily detected and
prevented. Routers are not perfect but they are a cheap nearly perfect
solution. I don't like be called wrong and I am generally not, it takes all
of 15 minutes to get excellent security, vs 20 months of building security.
More information about the redhat-list
mailing list