Firewall Wizards: Re: Open Source Personal Firewall?

[Charles Swiger <cswiger () mac com>]

On Dec 13, 2003, at 8:36 PM, Breno Jacinto wrote:
> * Charles Swiger (cswiger () mac com) wrote:
> > Are you looking for an appliance, or are you looking to install OSS
> > software onto an existing machine (presumably commodity Intel
> > hardware)?  If the latter, you could start with OpenBSD or a hardened
> > flavor of Linux (Bastille?), or PicoBSD (look up Luigi Rizzo, the
> > author of IPFW).
>   Just to avoid confusion: I refer to personal firewalls to softwares
>   like Zonealarm. It's limited (simple packet filtering) compared to 
> real ones (openbsd, linux etc), but supposedly more usable.
Per-client "personal firewalls" can encounter a class of usability 
problems which are not present in external firewalls, when the things 
break software running locally, for example, but that type of problem 
isn't extremely common.
>   I was looking for an OSS equivalent of Zonealarm, BlackICE and the
>   like. I know many 'real' firewalls - in-kernel, customized OSes  -
>   which are OSS, like the ones you mentioned. But they're not 'usable' 
> without
>   an expert (or maybe NO firewall can be of good use without an expert
>   setting it up). The trade-off between usability and security is 
> cruel.
[ ... ]
>   Thats why PF can come handy. Like a 'minimum' security for the
>   everyday user. Well, considering the user knows what he is doing...
A number of operating system vendors are shipping "personal firewall" 
capabilities integrated with their latest OS release: Microsoft has 
their Internet Connection Sharing, there's the Control Panel applet 
managing IPFW in Apple's MacOS X 10.3 (Panther), and there's no need to 
go over the capabilities of Linux and the BSD's from which such 
firewall technologies originated.
I would argue that the latter is reasonably intuitive, at least, and 
it's options correspond to the list of services one can enable 
elsewhere, so that if one enables secure login, the firewall config has 
a checkbox marked "Remote Login - SSH (22)", under the covers IPFW gets 
invoked with:
[ ...loopback anti-spoofing rules trimmed... ]
allow tcp from any to any out
allow tcp from any to any established
allow tcp from any to any 22 in
deny tcp from any to any

This isn't much different than other systems which construct a firewall 
ruleset-- there are some websites which will generate such rules based 
on an HTML form one fills out, but it does the job.
> > 1: And it's been the latter which has tended to result in bugs with
> > most firewalls, another example of the classic tradeoff between
> > ease-of-use and security...
>   Yes, and the question remains: If we need an expert to set up a
>   'Personal Firewall', cause otherwise the user will not be alble to 
> set
>   a decent policy, is there any reason why not use a cheap machine in
>   front of the PCs running OpenBSD/Linux doing NAT (..)  rather than a
>   Software (Zonealarm) running in the host itself?
There are certainly advantages to using a seperate firewall device 
instead of a per-client local firewall.  First and foremost is that a 
firewall device won't be running client user applications or initiating 
and responding to network connections, and taking action on such data 
such as running software downloaded from the network, knowingly or 
otherwise (malware).
I was going to say something about trying to come up with a sensible 
network security policy that doesn't need an expert to understand, but 
I'm being distracted by a rather impressive snowfall happening outside 
my windows at the moment...  :-)
--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards