[AccessD] OT: Firewall

pctech at mybellybutton.com pctech at mybellybutton.com
Mon Oct 10 14:40:01 CDT 2005


John Colby <jwcolby at colbyconsulting.com> wrote on 10/10/2005, 09:17:16
PM:
> PCTech,
> 
> First let me say that signatures are a good thing.  We know what you like to
> be called and can address you that way.
> 
> Second, I understand the "dedicated firewall" mentality, but for Joe Average
> (me!) it is a non starter.  The effort involved in learning enough just to
> get Linux installed is enough to kill the concept.  I have done that much
> and all by itself it was enough to give me pause.  Believe me, I read about
> such things and wish... But it ain't happening.  What is simple to a
> "computer network engineer" is pretty much Greek to me.
> 
> And finally, what you are discussing is what high end routers with REAL SPI
> etc firewalls built-in are all about are they not?  It is my understanding
> that they are exactly that, real processors, running Linux, implementing a
> firewall.  No hard disk to fail, no video to deal with, turns back on after
> a power failure, instant on, etc.  I would be much more likely to go do that
> than spend the time and effort building a Linux box to implement a firewall.
> Even here, the difference between the $50 I actually spent and the $200 I
> would need to spend for the real McCoy prevented that.
> 
> The simple router / NAT / firewall combination by itself pretty much
> prevents the external probing kind of stuff (unless you have port mapping /
> run a web server etc), and then the AV and software firewall picks up the
> pieces not handled.  I have run this combination since going broadband about
> 4 years ago and have never had an infection, so I guess I have to say that
> is "good enough".
> 
> I hate it when people rain on my parade, but I have considered this idea
> several times in the past and just said no way it was going to really
> happen.  OTOH, if you put together a "put in this CD, reboot and you will
> have a hardware firewall" kind of package, I might be persuaded to try it.
> 
> John W. Colby
> www.ColbyConsulting.com 
> 
> Contribute your unused CPU cycles to a good cause:
> http://folding.stanford.edu/
> 
> Not to sound biased, but there are better no-cost/low-cost options out there
> if you have a spare PC lying around.
> 
> Being a computer network engineer, part of my job is providing solutions for
> my employer with regards to "all things network".  A document I recently
> completed, and I consider at draft 1 stage, is a document on how to build a
> Linux based firewall from bare metal on up.
> 
> It doesn't discuss the rule sets themselves, but the rule set configurations
> are discussed in the documentation for the application used to create them.
> 
> Aside from a few initial setup tasks the majority of the firewall
> configuration is done via a web interface adn a GUI interface.
> 
> This documentation also covers the installation of a transparent proxy and a
> content filtering system.
> 
> Any firewall ran on top of Windows suffers from all of the inherent attacks
> against the host OS.  Which is why I run a dedicated machine, even at home,
> for my firewall, and it's not running Windows.
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com

Let me correct a couple of misconceptions.  The first one is that the
document I created is designed for a non-engineer to begin with.  It is
designed for "joe user".  It has step by step instructions, including
screen shots.  The second is that "real" firewalls don't have hard
drives.  In fact, a large percentage of "real firewalls" are PC based
and do have hard drives in them.  For instance the Nokia firewalls are
exactly a PC with a hard drive.  There are, however, also firmware
based firewalls.  It is trivial to build a firmware based Linux
firewall as well.  The third is that the PC will not turn back on after
a power failure.  Most of the modern BIOSes in PCs have a "resume on
power failure" option in them for just that occurance.  It restarts the
PC, providing it was on to begin with, in the event of a power failure.
 The fourth is that you haev some sort of video to deal with.  Linux
itself is designed to operate in a headless mode.  This means that it
will operate just fine without a keyboard, mouse, and monitor attached
to it and can be administered remotely.  It works like this "out of the
box".  The fifth is that you need some heavy hardware to run your
firewall.  Even my home firewall is EXTREME overkill.  It is a Pentium
III 933MHz with 512M of RAM and a 20GB hard drive.  That system can
process enough traffic to saturate a T3 line.  A Linux firewall will
run just fine on a Pentium or Pentium II platform.

The thing you seem to forget is that ANY firewall is only as secuer as
the operating system it is ran on.  By and large, any Unix or variant
is mroe secure than any Windows platform out of the box.  Take into
account, also, that Linux is much easier to secure than Windows is. 
Add to that that you do not need to reboot Linux when doing any sort of
OS update, with the exception of the kernel itself.  It becomes a "no
brainer".

Don't get me wrong.  I like Windows and am an MCSE.  However, everything
has it's place.  Firewalls are no place for Windows.

My document explains, in great detail (over 100 pages including screen
shots), on how to build a Linux firewall.  With the exception of some
of the initial build steps it is 100% administered via a web interface
and a graphical interface remotely.  This document also gives
instructions on adding a transparent web cache/proxy and content
filtering system to it.  Specifically with home users with children in
mind.  One of the next things I will be adding to the document in the
next revision is adding antivirus capabilities to the content filter.

With the firewall I built, and have in place, I have never had a virus
either, and I don't even use anti-virus software.  That is due
partially to the firewall, and partially in the manner in which I
practice "safe computing".

If you want to continue using your Windows based firewall, I say go for
it.  But never think that it is the best solution and always remember,
the manner in which the Titanic was built was "good enough".



More information about the AccessD mailing list