[499] in linux-security and linux-alert archive
Re: Linux/freeBSD & Firewalls for a Newbw :-) (fwd)
daemon@ATHENA.MIT.EDU (R. M. DuFresne)
Sun Dec 3 23:34:47 1995
Date: Sun, 3 Dec 1995 22:06:46 -0600 (CST)
From: "R. M. DuFresne" <dufresne@darkstar.sysinfo.com>
To: linux-security@tarsier.cv.nrao.edu
Folks maybe insterested in the forwarded message found below. I'm
interested in any comments peoples may have concerning this.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
[Mod: Please direct all replies to the poster (not to the list). I'm
forwarding it on for general reactions, but I do *not* want to start an
advocacy thread here. --Jeff.]
---------- Forwarded message ----------
Date: Mon, 4 Dec 1995 12:28:04 +1030 (CST)
From: Mark Newton <newton@communica.com.au>
To: Arman Ali Anwar <aanwar@iiu.my>
Cc: firewalls@GreatCircle.COM
Subject: Re: Linux/freeBSD & Firewalls for a Newbw :-)
[ I know I'm going to get flamed for this, because Linux weenies are
even more virulent than Amiga weenies used to be, but I can't let
this pass. ]
Arman Ali Anwar wrote:
> 4) How does Linux measure up against freebsd or bsdi ... I happen to love
> LINUX but faer it was designed with speed in mind and not security ...
Not quite -- It was designed with fun in mind, and the quantities of
speed and security that it offers are largely side effects.
I support a number of Linux systems professionally. As such, I have a
number of observations which might be useful to you.
In my professional opinion, people who use a UNIX system as a firewall
generally either don't understand firewalls very well or don't have
security at the forefront of their mind when evaluating their requirements.
[ the following paragraph contains generalities which apply to what would
seem to be a "large" number of Linux advocates. If anyone emails me to
say that they've taken it personally, or that Linux users aren't really
at all like my portrayal below because *they*, personally, are not like that
I will laugh until I die. Thank you for your cooperation. ]
Linux "firewalls" are a particular case in point, because a disproportionate
number of the people who use them suffer from BOTH of the traits listed
above. The average Linux user is a UNIX newbie who sometimes even lacks
the skills necessary to tighten down a normal UNIX system, let alone a
firewall. Additionally, *cost* is usually the main factor which steers
someone into using Linux as a firewall ("Hey! We have a $75 386SX-25
motherboard; we can put some cheap memory, cheap disk and a cheap
ethernet card on it and build ourselves a $500 firewall, instead of
buying two Ciscos and a bastion host! Q00l, eh?").
The end result of this is a network which is "firewalled" (spit!) behind
a Linux box with some packet filters. By necessity, the Linux box runs
*actual net-accessible services* (heaven forbid!), which means that the
filters need gaps -- Hence, the machine is at risk of being compromised
next time, say, a new sendmail/smail bug which allows any user on the
Internet to break root is uncovered (in which case a small shell script
could, say, remove all the "firewalling" IP filters before allowing the
attacker in through any port he wanted). Thus, whilst the sysadmin
thinks his network is nicely hidden behind his packet-filtering Linux
machine, he's really only buying himself a small amount of protection
over and above what he'd have with a completely unfirewalled network.
The Linux scheduler and VM system is also pathetic enough to make you
not want to run services on the machine anyway, even though you essentially
have no choice. When a Linux machine runs a CPU- and IO-intensive
application (such as, for example, INN), it gets so stupidly bogged
down in paging that it can't route packets! I've seen many centrally-
located (network-wise) Linux machines get to the point where running
INN's "expire" program almost completely locks out networking until the
expire run has finished. The only solutions to this problem are to
either rewrite the scheduler or install massive amounts of memory to
make sure that the system doesn't get into heavy paging (meaning that
at least 32Mb, but more usefully 48Mb or 64Mb of RAM is needed on a
machine which does nothing but run sendmail, INN and a nameserver). On
just about any other operating system I can think of, 16Mb is more than
adequate for that role.
The bottom line is that Linux has not been designed as a firewall -- It
has been designed as an OS that gets run on a single-user workstation
(NOT! a server, no matter how many glowing stories Linux advocates tell
you about its performance -- Linus Torvalds himself admits that the
Linux kernel's scheduler does not perform well under load). As an OS
that runs on a single user workstation, it delivers quite phenomenal
performance, and I would recommend it to anyone in that role. However,
it is not now, nor will it ever be, a firewall.
Normally a firewall evaluation involves comparing how the firewall
stacks up above alternatives in terms of security, performance and cost.
If you're using Linux as a firewall, you're more or less telling the
world that you simply don't give a damn about the first two of those
criteria.
- mark
---
Mark Newton Email: newton@communica.com.au
Systems Engineer Phone: +61-8-373-2523
Communica Systems WWW: http://www.communica.com.au
