Re: how secure is a linux firewall?

Bob Folkerts wrote:
My $.02 is that you're better off with a standalone appliance than you
are with a host based solution running with the O/S.

Duane :)


I hear this all the time, but every 'standalone appliance' is a general
purpose computer running a O/S, typically a BSD 4 derivative. With a Linux
(or Free/Net/OpenBSD) solution, you can build a firewall with a generic 1U
server that almost certainly has higher performance hardware than a typical
commercial router. Installing the 'barebones' OS and the corresponding
packet filter (e.g. pf or IPTables) is simple. Writing the configuration
files is the most work, but that is true of any firewall.

My concern with many of the commercial systems is that they simply have not
had the same level of code review as the open source programs. This is
especially true of the OpenBSD project. It wasn't long ago that Cisco was
forced to admit that they had HARD CODED a password in some routers. This
is such a fundimental coding violation (e.g. you would loose points in
Programming 101) that it puts into question their entire code auditing
process. So, I would argue that the open source solutions are more secure
than the closed commercial solutions.

So, I guess I would say that a Linux firewall is fine, but
1) you need to know what you are doing (as you have discussed in detail)
2) a firewall should run on a dedicated computer so as to minimize the
attack tree (you can't exploit a bug in software that isn't installed)

If these conditions are acceptable, then I see nothing wrong with a linux
firewall.

I'll agree with the other poster as to what is being said about a certified solution standalone appliance as opposed to a Linux solution. And besides, I don't think the OP is going to convince management otherwise and if he pushes it, it may have more trouble than what it's worth. I have been there and done that.

Duane :)
.

Relevant Pages

  • Re: Linux or BSD alternative to Windows Home Server
    ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    (comp.os.linux.misc)
  • Re: OT - Desktop Linux
    ... I've got both windows and linux boxes. ... But are there any desktop operating systems out there which enjoy a dis- ... software firewall, have a good and up to date ...
    (alt.sports.basketball.nba.la-lakers)
  • Re: Which Linux OS best for beginner to setup as Web / Mail server / Internet sharer and firewall?
    ... >>I don't want to start a flame war, but in my experience OpenBSD is best ... >>boxes if you must run linux for applications. ... > linux inside the firewall? ... web server? ...
    (comp.os.linux.networking)
  • Re: [fw-wiz] Recommendation needed for a firewall appliance
    ... >>I was unsuccessful in getting an IPSec VPN going with a Win2K ... >There are several firewall specific linux distros, Astaro, Coyote ... >There are some small firewall units, and there are small Managed Security ... >> for Windows, OSX and Linux. ...
    (Firewall-Wizards)
  • Re: Internet Sharing - Security
    ... > router had to stay in A's computer room. ... > Now that we successfully have gained the desired internet connection, ... replace the router with a good firewall; ... >>inexpensive Linux 2.4.x firewall with Netfilter and ISC DHCP is fine. ...
    (comp.security.firewalls)
Quantcast