[ale] OT: Firewall purchase

Bob Toxen bob at verysecurelinux.com
Thu Jul 22 11:56:33 EDT 2004


On Thu, Jul 22, 2004 at 06:36:51AM -0400, David Hamm wrote:
> On Wednesday 21 July 2004 06:13 pm, Bob Toxen wrote:
> > David,

> > I'm sorry I've not gotten back to you sooner.  I've been terribly busy
> > .
> I understand.  We all have to earn a living.

> > I really am not motivated to debate this.  
> That's a shame.... I'd hoped this to be an opportunity to contribute to the 
> community by dispelling myths and misconceptions.  

> > What I know is in my book. 
> By all means, please reference your book.  To date I've not been compelled to 
> purchase a copy but perhaps showing the limits of my knowledge will be an 
> incentive for me and others to pick one up.
I did reference my book in my last email.  I'm NOT going to read it to
you over ALE.

> > I will note that a router that just does IP Masquerading (NAT'ing) or
> > throws away packets with the SYN bit on is not an adequate Firewall.
> > Any decent hacker can defeat such a device and hijack connections with
> > little effort.

> I'm sorry, but I don't see anything in the above statement to convince me that 
> IP Masquerading to a private address range and discarding syn packets isn't 
> effective.  If other services were running on the firewall and exposed, I 
> could see a potential; or, if the kernel was flawed and responded to 
> malformed packets.  However, you asserted that an inexpensive firewall wasn't 
> as secure as an expensive custom unit.  My assertion is price doesn't dictate 
> code or logic quality, and firewalls primarily rely on two principals to 
> establish secure internet connectivity.  Higher firewall prices are only 
> justified by additional features which, on the surface, have the potential of  
> increased exposure to security flaws.  

> > > > A custom firewall + no break-in is cost competitive as compared to $100
> > > > for the Netgear toy + $50,000 to recover from the break-in.
> This is FUD without some evidence or logical explanation and not a remark I'd 
> expected from a professional security expert.  A debate would have provided 
> an opportunity to recover from this remark.
Calling my advice FUD is disappointing.  However, for the evidence enter

     connection hijack

into Google and read some of the 74,000 entries on connection hijacking,
which is how to break through a NAT'ing (and other firewalls).  Some of
the hits are unrelated to the topic but there are many, many that are.

> Best regards,

> Dh.
Bob

> > Bob

> > On Wed, Jul 07, 2004 at 10:23:50AM -0400, David Hamm wrote:
> > > Bob,

> > > Let's turn this discussion into a debate.   There's no doubt I'll loose
> > > but what heck I'm always up for learning new things and perhaps you can
> > > shed some light into areas where I am deficient in firewalling.  There
> > > may also be some other folks on the list who find this informative.

> > > As far as I understand firewalls have two major characteristics on which
> > > security can be based.  First is the private address scheme adhered to by
> > > the Internet.  Since any addresses containing, 10., 192.168., or
> > > 172.16.->172.31. are not routed Willy Cracker must either crack the
> > > router sitting in front of the firewall or the  firewall it self in order
> > > to establish communications with a host behind the firewall.  An
> > > attractive feature of cheap firewalls is the limited amount space the
> > > hardware provides for usefull cracking tools. So once Willy gets in there
> > > may be no tools like tcpdump or telnet to use in launching an attack on
> > > the internal network.  Loading tools may also present a problem since
> > > there is limited space.

> > > The other characteristic is discarding SYN ( or initialization packets ).
> > >  By default most firewalls discard or ignore these requests to begin
> > > communications with a remote host.  They only respond to ACK packets and
> > > perform a look up in a table to find which internal host started the
> > > conversation, discarding any unmatched packets.

> > > Therefore if these two characteristics function properly the difference
> > > between an expensive firewall and a cheap one is additional features. 
> > > Port forwarding and IDS are not really firewalling.  They are features to
> > > enable and monitor communications with internal hosts.  Getting into this
> > > featureset makes the choice more subjective.  Personally I will do
> > > anything I can to discourage port forwarding to a host on the internal
> > > network.

> > > On Wednesday 07 July 2004 12:04 am, Bob Toxen wrote:
> > > > On Sun, Jul 04, 2004 at 04:15:18PM -0400, David Hamm wrote:
> > > > > Thanks for the links and suggestions but this firewall is for a
> > > > > client and building a custom firewall will not be price competitive; 
> > > > > Especially if you consider the ease of use available for $100 from
> > > > > Netgear and D-Link.

> > > > A custom firewall + no break-in is cost competitive as compared to $100
> > > > for the Netgear toy + $50,000 to recover from the break-in.

> > > > Bob Toxen
> > > > bob at verysecurelinux.com               [Please use for email to me]
> > > > http://www.verysecurelinux.com        [Network&Linux/Unix security
> > > > consulting] http://www.realworldlinuxsecurity.com [My book:"Real World
> > > > Linux Security 2/e"] Quality Linux & UNIX security and SysAdmin &
> > > > software consulting since 1990.

> > > > "Microsoft: Unsafe at any clock speed!"
> > > >    -- Bob Toxen 10/03/2002

> > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > David Hamm wrote:
> > > > > > > Hi,

> > > > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > > > Netgear has
> > > > > > > stuff I found attractive but with no OSPF support. Moving parts
> > > > > > > (ie fans and
> > > > > > > disks ), and user licensing are out. Anyone have any suggestions?

> > > > > > > Thanks.
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > http://www.ale.org/mailman/listinfo/ale

> > > > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > > > edition of his book, and a Epia based fanless supersmall machine
> > > > > > with dual builtin NICs.  His book has drop in iptables rules that
> > > > > > are excellent. Once you get that far then going thru the IPSEC
> > > > > > Howto is not too difficult.  Just involves a kernel module compile
> > > > > > and insertion.



> > > > > > Links:
> > > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
> > > > > > (this is one idea)



More information about the Ale mailing list