[2086] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: compare / contrast of linux fw and

daemon@ATHENA.MIT.EDU (Jeremy Heffner)
Wed Nov 4 09:12:00 1998

To: "Matthew S. Crocker" <matthew@crocker.com>
cc: Bringman <rob@trion.com>, linux-security@redhat.com
In-reply-to: Your message of "Wed, 28 Oct 1998 08:05:16 EST."
             <Pine.LNX.3.95.981028080106.17173A-100000@rmc1.crocker.com> 
Date: Wed, 04 Nov 1998 02:24:52 -0600
From: Jeremy Heffner <heffner@darkness.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

In message <Pine.LNX.3.95.981028080106.17173A-100000@rmc1.crocker.com>
"Matthew
S. Crocker" mumbled
>> I am the Firewall-1 administrator where I work and it has a very nice
>> GUI tool for defining objects (can be hosts, networks, DNS domains,
>> groups of hosts, etc.) and a straightforward way of building a
>> rulebase.
>
>Doesn't Firewall-1 do VPN? Virus scanning (optional), HTTP scanning
>(virus/content optional) QoS.

the http/virus scanning is generally not done by fw1 directly, its done by 
other servers via the <fill in standard proto I forget here> protocol...

>Can you do VPN with your linux solution.  I love linux and have setup
>several linux firewalls.  I have only played with firewall-1 for a bit and
>the GUI is the only thing I can think of which makes it a better
>'corporate' solution.

the problem with teh gui, is that it also hides stuff its sometimes 
doing... which is a security problem.. makes some assumptions about what 
should be runing.. but hey, runs a hell of a lot better than the NAI 
Gauntlet GUI (NAI owns TIS now).. 'course, FW1 has a really sick and 
twisted licensing scheme.. really harsh and expensive for managing more 
than one at a time..

As for VPN.. ipsec for linux.. along with ipip and friends.. FW1 only does 
server to server VPNs reasonably, and generally needs other pieces (more 
$$) to do cleint -> server type stuff.. like entrust..

you could also be really nutty and do the ppp over ssh stuff...

and we wont get into the part about being able to audit the code looking 
for backdoors (PLEASEPLEASE dont start a thread on this one.. been done 
many times before..)

and also the proxy/stateful inspection/packet filters.. choose which one 
you like, dont start a thread.. been said many times over.. (see the other 
firewall lists for more discussion on this and previous topic..)

so, in short.. often times, yes, a linux box is more than enough 
protection.. as long as you have the expertise to be able to do it.. 
(personal opinion - if you dont, you shouldn't be running a firewall 
anyways.. *shrug*)

the other really nice part about a linux based solution, is that its 
easily extensible if you're willing to write/modify code, instead of 
begging and pleading with vendors...

(yes, I've been dealing with vendors too much recently..)

-jeremy (yeah, yeah, I'm a CCSA/CCSE (check point cert cruft..))
---------------------------------------------------------------------------
                  Jeremy Heffner -- heffner@darkness.net
                       Darkness Network Engineering
                   PGP public key available on request
            My thoughts and opinions represent no one but myself
---------------------------------------------------------------------------

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post