Re: how secure is a linux firewall?



My $.02 is that you're better off with a standalone appliance than you
are with a host based solution running with the O/S.

Duane :)

I hear this all the time, but every 'standalone appliance' is a general
purpose computer running a O/S, typically a BSD 4 derivative. With a Linux
(or Free/Net/OpenBSD) solution, you can build a firewall with a generic 1U
server that almost certainly has higher performance hardware than a typical
commercial router. Installing the 'barebones' OS and the corresponding
packet filter (e.g. pf or IPTables) is simple. Writing the configuration
files is the most work, but that is true of any firewall.

My concern with many of the commercial systems is that they simply have not
had the same level of code review as the open source programs. This is
especially true of the OpenBSD project. It wasn't long ago that Cisco was
forced to admit that they had HARD CODED a password in some routers. This
is such a fundimental coding violation (e.g. you would loose points in
Programming 101) that it puts into question their entire code auditing
process. So, I would argue that the open source solutions are more secure
than the closed commercial solutions.

So, I guess I would say that a Linux firewall is fine, but
1) you need to know what you are doing (as you have discussed in detail)
2) a firewall should run on a dedicated computer so as to minimize the
attack tree (you can't exploit a bug in software that isn't installed)

If these conditions are acceptable, then I see nothing wrong with a linux
firewall.
.

Relevant Pages

  • Re: Zone Alarm- any forewarnings?
    ... the machine could be use as a jumping off point to attack other ... the O/S can be attacked just like the O/S can be attacked with ZA ... > 100 chance of getting nailed by a virus- or your personal information ... Meanwhile, I do have the MS XP firewall turned on, but I haven't ...
    (comp.security.firewalls)
  • Re: Zone Alarm- any forewarnings?
    ... the machine could be use as a jumping off point to attack other ... > the O/S can be attacked just like the O/S can be attacked with ZA ... >> 100 chance of getting nailed by a virus- or your personal information ... Meanwhile, I do have the MS XP firewall turned on, but I haven't ...
    (comp.security.firewalls)
  • Re: how secure is a linux firewall?
    ... Duane:) ... With a Linux ... but that is true of any firewall. ... I'll agree with the other poster as to what is being said about a certified solution standalone appliance as opposed to a Linux solution. ...
    (comp.security.firewalls)
  • RE: suggestions on a good firewall
    ... By far appliance based firewalls are far more effective then O/S based ... multiple vulnerabilities associated with O/S the firewall app is running ... Senior Information Systems Security Engineer ...
    (Security-Basics)
  • RE: suggestions on a good firewall
    ... Otherwise we would have to replace the whole appliance every time there was ... suggestions on a good firewall ... By far appliance based firewalls are far more effective then O/S based ... Thinking About Security Training? ...
    (Security-Basics)