Is the outside interface still open to SSH connections? If so & it's
compromised, Linux is a full blown operating system that, when compromised,
can have ANY program designed for Linux installed. Can you imagine
something like a packet analyzer grabbing all your passwords and sending
them out over the net to someone else? Ewww. That's my #1 reason for going
with something like a PIX. Just make sure you're IDS is set to notify even
in the event of a SUCCESSFUL connection. I've seen people who set it up for
unsuccessful attempts only.
I hope that guy wasn't fired BECAUSE he recommended the Cisco solution.
That's totally a matter of point of view on that decision & his wasn't
wrong..neither was the Linux choice. Some situations call for one while
others call for the other.
Oh and keep a copy of the correctly configured drive with all settings on
hand. A hard drive is much more prone to failure than RAM/ROM just due to
the moving parts involved.
Allen
----- Original Message -----
From: "Sean Young" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Sunday, March 25, 2001 3:05 PM
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX
525
> Ken,
> Thank you very much for the advice. This past Friday, my company has
> decided to use Linux as our company Firewall. Furthermore, we've decided
> that this Firewall will be running kernel 2.4.2 with only two services
> running on it, SSH and netfilter (aka iptables). I've tested kernel
> 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've
also
> performed various intrusion detection tests on the box using
> Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break
> it. The linux box is rock-solid. I am also running portsentry (IDS)
> on the Firewall itself.
>
> Also, we decide to running our squid proxy server on another linux box
> to provide transparent caching for our internal users. As far as VPN is
> concerns, we are going to implement FreeS/WAN on another box. I think
> in the long run, it is going to save the company a lot of money. We
> end up not buying the PIX and web-caching engine from Cisco. Oh, the
> networking guy in our group who recommends Cisco PIX and Cisco web-
> caching engine as a solution, he has been fired. Go figure.
>
> Regards,
> Sean
> P.S. Priscilla, why not implementing TRANSPARENT caching by using squid
> to speed up internet connection for your users? Squid is free and very
> secure and easy to use.
>
> >From: [EMAIL PROTECTED]
> >Reply-To: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED], "Stuart Brockwell" <[EMAIL PROTECTED]>
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX 525
> >Date: Sat, 24 Mar 2001 20:02:26 -0800
> >
> >Sean,
> >
> >Comments imbedded:
> >
> >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> >
> > > Hi Sean,
> > > I am a Linux head my self, and one of our firewalls is in fact
> > > running
> > > on a Linux box. The only problem with this type of firewall is that
> > > you inherit all of the known bugs that the software has. Given that
> > > the source code to Linux is widely available, you have a lot of very
> > > talented people out there who know these holes and are able to exploit
> > > them very easily.
> >
> >It also means that there are a lot of talented people who are looking
> >at the code to make sure that any holes are patched. In fact, when
> >new exploits are found, Linux is usually the fastest platform to have
> >a patch available. Compare this to having to wait weeks for vendor
> >patches or having to prove to a vendor that a problem exists.
> >
> >Also, a service can only be exploited if it is running. A properly
> >configured firewall doesn't run unecessary services, this makes it
> >very difficult to exploit. Essentially, it would come down to trying to
> >DoS it or running a password guessing program against it to get
> >remote access.
> >
> >
> > If you
> > > maintain your own Linux firewall, you will need to continuously look
> > > for the latest bug fixes to install on your Linux box to address the
> > > latest round of holes that have been released.
> >
> >If the Linux firewall is properly setup, the only services running on it
> >are ipchains and SSH. This means that you have to be aware of 2
> >services. While there could always be a local exploit, if only
> >trusted admins have access, the trouble with keeping up patches
> >is minimal. It is certainly no more trouble than keeping up with
> >bugs on a vendor platform.
> >
> > >
> > > Cisco and companies such as Watch Guard closely guard their source
> > > code, often you can elect to take on a maintenance contract with the
> > > firewall where you recieve all the latest fixes for a 12 month period
> > > (this is what we did). As this is their bread and butter, they spend
> > > a lot of time looking for holes and fixes to known bugs.
> > >
> >
> >While true, this doesn't mean that their code will have fewer bugs
> >or that the bugs will be patched quicker. There is a very large
> >support community for Linux that is very technical. Most bugs are
> >patched in a matter of days, sometimes hours.
> >
> >
> > > the main plus for each of
> > > the commercial packages is that there is large support base, where as
> > > skilled Linux admin staff who can lock down a firewall are very few
> > > and far between.
> >
> >This is simply not true. There is a very large community of Linux
> >developers and admins, and most of them are very knowledgable.
> >There are good mailing lists and _plenty_ of good Linux
> >security/firewall books, articles, web sites, etc. available.
> >
> >Locking down a Linux box is not rocket science. That is FUD that
> >is propagated by vendors who want to sell product. It's not hard to
> >configure a Linux box to be secure, the difficulty comes in running
> >lots of services and providing access to users. If you have a box
> >that runs web, ftp, smtp, nfs, etc., then it becomes much harder to
> >secure, but none of these services should be running on a firewall.
> >
> >The bottom line is that there are several good commercial firewalls,
> >but that doesn't mean that a Linux box cannot serve as a good, low-
> >end alternative. Especially if cost is one of the main decision
> >factors.
> >
> >-Kent
> >
> >
> >
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
