Re: [fw-wiz] Open Source Personal Firewall?

From: Charles Swiger (cswiger_at_mac.com)
Date: 12/14/03

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Security dumming down - the king's clothes" 
    To: Breno Jacinto <breno@gamebox.net>
Date: Sun, 14 Dec 2003 14:00:05 -0500

    On Dec 13, 2003, at 8:36 PM, Breno Jacinto wrote:
    > * Charles Swiger (cswiger@mac.com) wrote:
    >> Are you looking for an appliance, or are you looking to install OSS
    >> software onto an existing machine (presumably commodity Intel
    >> hardware)? If the latter, you could start with OpenBSD or a hardened
    >> flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the
    >> author of IPFW).
    >
    > Just to avoid confusion: I refer to personal firewalls to softwares
    > like Zonealarm. It's limited (simple packet filtering) compared to
    > real ones (openbsd, linux etc), but supposedly more usable.

    Per-client "personal firewalls" can encounter a class of usability
    problems which are not present in external firewalls, when the things
    break software running locally, for example, but that type of problem
    isn't extremely common.

    > I was looking for an OSS equivalent of Zonealarm, BlackICE and the
    > like. I know many 'real' firewalls - in-kernel, customized OSes -
    > which are OSS, like the ones you mentioned. But they're not 'usable'
    > without
    > an expert (or maybe NO firewall can be of good use without an expert
    > setting it up). The trade-off between usability and security is
    > cruel.
    [ ... ]
    > Thats why PF can come handy. Like a 'minimum' security for the
    > everyday user. Well, considering the user knows what he is doing...

    A number of operating system vendors are shipping "personal firewall"
    capabilities integrated with their latest OS release: Microsoft has
    their Internet Connection Sharing, there's the Control Panel applet
    managing IPFW in Apple's MacOS X 10.3 (Panther), and there's no need to
    go over the capabilities of Linux and the BSD's from which such
    firewall technologies originated.

    I would argue that the latter is reasonably intuitive, at least, and
    it's options correspond to the list of services one can enable
    elsewhere, so that if one enables secure login, the firewall config has
    a checkbox marked "Remote Login - SSH (22)", under the covers IPFW gets
    invoked with:

    [ ...loopback anti-spoofing rules trimmed... ]
    allow tcp from any to any out
    allow tcp from any to any established
    allow tcp from any to any 22 in
    deny tcp from any to any

    This isn't much different than other systems which construct a firewall
    ruleset-- there are some websites which will generate such rules based
    on an HTML form one fills out, but it does the job.

    >> 1: And it's been the latter which has tended to result in bugs with
    >> most firewalls, another example of the classic tradeoff between
    >> ease-of-use and security...
    >
    > Yes, and the question remains: If we need an expert to set up a
    > 'Personal Firewall', cause otherwise the user will not be alble to
    > set
    > a decent policy, is there any reason why not use a cheap machine in
    > front of the PCs running OpenBSD/Linux doing NAT (..) rather than a
    > Software (Zonealarm) running in the host itself?

    There are certainly advantages to using a seperate firewall device
    instead of a per-client local firewall. First and foremost is that a
    firewall device won't be running client user applications or initiating
    and responding to network connections, and taking action on such data
    such as running software downloaded from the network, knowingly or
    otherwise (malware).

    I was going to say something about trying to come up with a sensible
    network security policy that doesn't need an expert to understand, but
    I'm being distracted by a rather impressive snowfall happening outside
    my windows at the moment... :-) 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Security dumming down - the king's clothes"

    Relevant Pages

    • Re: Code Red Doesnt care about TCP sessions?
      ... Code Red Doesn't care about TCP sessions? ... I also neglected to state that I've correlated this activity to firewall ... >> from the Web server before it sent it's ACK and then GET request. ...
      (Incidents)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... variety of different probes using both UDP and TCP layer-4 protocols. ... elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP ... a tool to probe firewall ACLs; ...
      (Full-Disclosure)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... For example, rather than only launching UDP probes in an attempt to elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. ... a tool to probe firewall ACLs; ...
      (Bugtraq)
    • Re: R2 DFS Replication failing
      ... Disabled the firewall and everything started magically working.. ... BTW: Found out the RPC patch is this one: ... System service name: DfsApplication protocol Protocol Ports ... NetBIOS Session Service TCP 139 ...
      (microsoft.public.windows.server.general)
    • Re: Monitor port Access(File Transfer Activity)
      ... Probably, just capture the activity on the control channel [TCP 21], since ... If your firewall does not permit this capability [and your firewall ...
      (microsoft.public.windowsxp.security_admin)