Sean,
Comments imbedded:
On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> Hi Sean,
> I am a Linux head my self, and one of our firewalls is in fact
> running
> on a Linux box. The only problem with this type of firewall is that
> you inherit all of the known bugs that the software has. Given that
> the source code to Linux is widely available, you have a lot of very
> talented people out there who know these holes and are able to exploit
> them very easily.
It also means that there are a lot of talented people who are looking
at the code to make sure that any holes are patched. In fact, when
new exploits are found, Linux is usually the fastest platform to have
a patch available. Compare this to having to wait weeks for vendor
patches or having to prove to a vendor that a problem exists.
Also, a service can only be exploited if it is running. A properly
configured firewall doesn't run unecessary services, this makes it
very difficult to exploit. Essentially, it would come down to trying to
DoS it or running a password guessing program against it to get
remote access.
If you
> maintain your own Linux firewall, you will need to continuously look
> for the latest bug fixes to install on your Linux box to address the
> latest round of holes that have been released.
If the Linux firewall is properly setup, the only services running on it
are ipchains and SSH. This means that you have to be aware of 2
services. While there could always be a local exploit, if only
trusted admins have access, the trouble with keeping up patches
is minimal. It is certainly no more trouble than keeping up with
bugs on a vendor platform.
>
> Cisco and companies such as Watch Guard closely guard their source
> code, often you can elect to take on a maintenance contract with the
> firewall where you recieve all the latest fixes for a 12 month period
> (this is what we did). As this is their bread and butter, they spend
> a lot of time looking for holes and fixes to known bugs.
>
While true, this doesn't mean that their code will have fewer bugs
or that the bugs will be patched quicker. There is a very large
support community for Linux that is very technical. Most bugs are
patched in a matter of days, sometimes hours.
> the main plus for each of
> the commercial packages is that there is large support base, where as
> skilled Linux admin staff who can lock down a firewall are very few
> and far between.
This is simply not true. There is a very large community of Linux
developers and admins, and most of them are very knowledgable.
There are good mailing lists and _plenty_ of good Linux
security/firewall books, articles, web sites, etc. available.
Locking down a Linux box is not rocket science. That is FUD that
is propagated by vendors who want to sell product. It's not hard to
configure a Linux box to be secure, the difficulty comes in running
lots of services and providing access to users. If you have a box
that runs web, ftp, smtp, nfs, etc., then it becomes much harder to
secure, but none of these services should be running on a firewall.
The bottom line is that there are several good commercial firewalls,
but that doesn't mean that a Linux box cannot serve as a good, low-
end alternative. Especially if cost is one of the main decision
factors.
-Kent
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]