Re: Wrt54G is a FW appliance?

From: Floyd L. Davidson (floyd_at_apaflo.com)
Date: 08/10/05

• Next message: Richard H. Miller: "Re: Checkpoint Firewall Error"
• Previous message: Mike Bailey: "Any advantage to 2 DSL's"
• In reply to:(deleted message) Leythos: "Re: Wrt54G is a FW appliance?"
• Next in thread: Leythos: "Re: Wrt54G is a FW appliance?"
• Reply:(deleted message) Leythos: "Re: Wrt54G is a FW appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 10 Aug 2005 08:58:48 -0800

Leythos <void@nowhere.lan> wrote:
>I agree that nothing installed by anyone human without further testing
>can be considered as fully secure.

That is true. Now if you only understood what you are saying!

The "further testing"... can't be done *before* hand, so your
insistence that some similar configuration be certified by ICSA
is simply not valid.

>Where you fail to understand things
>is that Firewall solution that has been passed/tested and documented as
>being secure is far more likely to be a viable security solution than
>something that's not been tested by any reputable agency.

Your understanding of "reputable agency" is simply *wrong*.

IPfitler and IPtables have both passed the test of time and
scrutiny by a much more stringent agency than ICSA (though in
fact, both have obviously been tested and passed by ICSA).

>The entire point is that by using known certified/tested products that
>have documented test methods and result sets, we don't have to put them
>through the same tests on our own in order to determine if they MIGHT be
>securable. Certification means that in a documented test under specific
>conditions, that the device didn't break.

Since you *don't* *duplicate* the same configuration, you don't
know any more about how secure it is than you do about any other
implementation.

>> Which is the entire point of this thread - just
>> because someone pays for ICSA certification for a device and
>> calls it a firewall, that is not what makes it a firewall.
>
>Wrong, if the device is tested and passes, it's a firewall at the point
>it was tested. That doesn't mean you can't misconfigure it, but it does
>mean that it passed specific testing methods and results that are
>documented that you and I can look at to determine, without having to do
>the testing ourselves, that the device meets criteria x,y,z as a
>firewall. Without certification or other reputable testing you don't
>know what criteria the device meets and you don't have any reason to
>expect it to perform as a firewall (or anything else).

Now if only you understood what you are saying. ICSA certifies
an IPtables implementation on one device... and you say the
*device* is therefore a firewall, but IPtables isn't.

Yet your configuration of IPtables is just as untested on that
one device as it is on *any* *other* device using IPtables.

The fact is they *are* all using the same IPtables, and it is
just as likely to "perform as a firewall" on *any* of them.

The same is true of the IPfilter software.

...
>> >Now that we agree that openBSD isn't always secure, that something
>> >called a firewall without testing/certification may not be a firewall, I
>> >don't see what your problem is.
>>
>> Now that we agree that ICSA certified equipment isn't always
>> secure, that something called a firewall with
>> testing/certification may not be a firewall, I don't see what
>> your problem is.
>>
>> (Actually though, I do see that you can't follow logic, and
>> don't have enough background to understand a discussion of
>> firewall technology.)
>
>If you can't understand my reply in this post you can't grasp the
>concepts enough to be worth any more of my time.

Your reply was not logical, and you continue to make invalid
statements.

-- 
Floyd L. Davidson            <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska)                         floyd@apaflo.com

---

• Next message: Richard H. Miller: "Re: Checkpoint Firewall Error"
• Previous message: Mike Bailey: "Any advantage to 2 DSL's"
• In reply to:(deleted message) Leythos: "Re: Wrt54G is a FW appliance?"
• Next in thread: Leythos: "Re: Wrt54G is a FW appliance?"
• Reply:(deleted message) Leythos: "Re: Wrt54G is a FW appliance?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Free Firewall for W2K Server ... don't they use some iptables stuff and use the IP stack or something =) ... > Download the iso for Smoothwall or ipcop and run it up in one of your old ... More secure than any wintel firewall garbage around. ... (microsoft.public.win2000.general) Re: are IPTABLES good enough security for a webserver ... >> Will IPTABLES act as a secure enough firewall for a web server or should I ... > webserver in a way that would be secure even without any firewall. ... (comp.os.linux.security) Re: linux newbie: how to stop port scan abuse? ... I would recommend converting to the IPTABLES firewall and from there create ... There is a script you can use that the author provides. ... >> tried to keep it as secure as possible. ... (comp.os.linux.security) Re: are IPTABLES good enough security for a webserver ... > Will IPTABLES act as a secure enough firewall for a web server or should I ... router/firewall in front of a webserver configured with iptables. ... (comp.os.linux.security) Re: Feedback solicited - best way to harden a mail/web server? ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ... (comp.os.linux.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)