mailing list archives
RE: IPTables Based Firewall Testing
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 18 Dec 2003 11:26:37 -0800
Well said, I tip my hat to you.
In your setup you've introduced more systems handling specific
functions that a good firewall appliance would do in one box. Now that's
not a problem if you can allocate the manpower and expertise to
maintain, monitor and update those systems, constantly. In addition you
can take into account the space used up by the additional equipment,
maintenance contracts on the additional hardware, cooling costs and
power usage and additional network load from the supplementary
equipment. If we compare that to a Checkpoint solution your ROI could
easily be lower.
Now there are a plethora of tools out there that make managing a
*NIX firewall and proxy solutions loads easier but the same can be said
for the appliance solution. I personally think handling a netfilter
firewall is far easier then handling a PIX but I'm sure our Cisco guys
on the list could argue the other way. I tend to think of an IPTables
firewall like that you can get on a Cisco Routers with the PLUS/FW/IDS
IOS's trains and I think they would be pretty on par.
All in all I'm a K.I.S.S. man, (Keep it simple stupid),
especially when it comes to security. The more complicated your solution
is, the easier for something to slip through the cracks or be
1190 Trademark Dr #107
Reno NV 89521
Email: sjackson () horizonusa com
Phone: (775) 858-2338
(800) 325-1199 x338
From: Steve Bremer [mailto:steveb () nebcoinc com]
Sent: Thursday, December 18, 2003 10:28 AM
To: security-basics () securityfocus com
Cc: Shawn Jackson
Subject: RE: IPTables Based Firewall Testing
Really an IPTables/Netfilter equipped *NIX box is not really the best
solution for any really concerned about security.
I would have to respectfully disagree. It really depends on what
you're using it for. We use it in combination with application
proxies running on other hosts so that traffic has to not only goes
through netfilter, but the application level proxies as well.
Netfilter is used to make sure the traffic must go through the
application proxies and as a first layer of defense against directed
attacks. I think it does a fine job at it too.
Fw on OpenBSD still
runs a better, more controllable firewall but Netfilter is catching
This I'm not so sure about. Both have their strengths/weaknesses.
PF is newer than netfilter, but does have some definite benefits (but
so does Netfilter). Usually, the required features dictate which one
is used where. We use it here in addition to netfilter.
Comparing a IPTables/Netfilter firewall box against
Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard
box there is no comparison. Firewall appliances usually run an
extremely tightened version of NetBSD or another early BSD (like)
This is another one of those gray areas, but I would generally agree
with you here. Checkpoint combines application proxies and packet
filtering into one box, so it has definite advantages over Netfilter
by itself since netfilter is a packet filter (although it does have
some extensions that enable it to peek into the application layers
just enough so it can handle some of the more "complex" protocols).
You can lock down a *BSD or Linux box pretty tight (Watchguard is
Linux based). A stripped down Openwall GNU/*/Linux box running with
an RSBAC + PaX enhanced kernel makes for a pretty tight (and slim)
box. This can also be done with OpenBSD as well (systrace + W^X +
ProPolice can be used to achieve similar results).
Unlike *NIX which can have many software packages installed
with multiple vulnerabilities. Appliances are extremely optimized to
suite their task and provide smooth operations for that task while a
general OS has to think of everything it *may* run.
I would generally agree with this too, but it depends on what the
underlying OS is that the appliance runs on. A Cisco PIX has far
less code than say an equivalent Linux or OpenBSD box/appliance.
Since less code generally = less potential vulnerabilities, this is
usually viewed as a benefit. If the appliance vendor has removed a
lot of the unneeded functionality of a general purpose OS, that
We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its
rock solid and extremely secure. But when you pay $80,000 bucks for a
firewall you better be getting your moneys worth.
Yes indeed! :-) $$$ and available resources are a big factor in
choosing. If you don't have the $$$, then it makes your choices a
System & Security Administrator