One more thing I forgot to mention. If compromised (& it has to be from
inside because outside interface cannot be used to connect), all they can do
to a PIX is mess up your config or add some lines. However, with TACACS+ &
AAA authentication you can even limit what commands they can execute. If
the config is messed up, just dial in and copy the config from the tftp
server again.
----- Original Message -----
From: "Sean Young" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, March 26, 2001 2:42 PM
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX
525
> Allen,
> If SSH service is not open on the outside interface, how do you expect
> to troubleshoot the problem when there is problem with the Firewall?
> Tell me this, how can you troubleshoot a PIX remotely when there is
> problem? My employer is certainly not going to fly me out-of-state to fix
a
> minor problem. Furthermore, can you absolutely guarantee me, in writing,
> that the Cisco PIX
> can never be compromised? Another thing, what makes you think that I am
> also running other services besides Firewall features on Linux. If you
> read my email carefully, you also notice that I only SSH and netfilter
> (aka iptables) on the Firewall. Your reason is based purely on FUD
> (Fear, Uncertainty and Doubt).
>
> Sean
>
>
> >From: "Allen May" <[EMAIL PROTECTED]>
> >To: "Sean Young" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
> > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX 525
> >Date: Mon, 26 Mar 2001 14:29:34 -0600
> >
> >Is the outside interface still open to SSH connections? If so & it's
> >compromised, Linux is a full blown operating system that, when
compromised,
> >can have ANY program designed for Linux installed. Can you imagine
> >something like a packet analyzer grabbing all your passwords and sending
> >them out over the net to someone else? Ewww. That's my #1 reason for
> >going
> >with something like a PIX. Just make sure you're IDS is set to notify
even
> >in the event of a SUCCESSFUL connection. I've seen people who set it up
> >for
> >unsuccessful attempts only.
> >
> >I hope that guy wasn't fired BECAUSE he recommended the Cisco solution.
> >That's totally a matter of point of view on that decision & his wasn't
> >wrong..neither was the Linux choice. Some situations call for one while
> >others call for the other.
> >
> >Oh and keep a copy of the correctly configured drive with all settings on
> >hand. A hard drive is much more prone to failure than RAM/ROM just due
to
> >the moving parts involved.
> >
> >Allen
> >----- Original Message -----
> >From: "Sean Young" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> ><[EMAIL PROTECTED]>
> >Sent: Sunday, March 25, 2001 3:05 PM
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX
> >525
> >
> >
> > > Ken,
> > > Thank you very much for the advice. This past Friday, my company has
> > > decided to use Linux as our company Firewall. Furthermore, we've
> >decided
> > > that this Firewall will be running kernel 2.4.2 with only two services
> > > running on it, SSH and netfilter (aka iptables). I've tested kernel
> > > 2.4.2 in the lab and notice it performs better than kernel 2.2.x.
I've
> >also
> > > performed various intrusion detection tests on the box using
> > > Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break
> > > it. The linux box is rock-solid. I am also running portsentry (IDS)
> > > on the Firewall itself.
> > >
> > > Also, we decide to running our squid proxy server on another linux box
> > > to provide transparent caching for our internal users. As far as VPN
is
> > > concerns, we are going to implement FreeS/WAN on another box. I think
> > > in the long run, it is going to save the company a lot of money. We
> > > end up not buying the PIX and web-caching engine from Cisco. Oh, the
> > > networking guy in our group who recommends Cisco PIX and Cisco web-
> > > caching engine as a solution, he has been fired. Go figure.
> > >
> > > Regards,
> > > Sean
> > > P.S. Priscilla, why not implementing TRANSPARENT caching by using
squid
> > > to speed up internet connection for your users? Squid is free and
very
> > > secure and easy to use.
> > >
> > > >From: [EMAIL PROTECTED]
> > > >Reply-To: [EMAIL PROTECTED]
> > > >To: [EMAIL PROTECTED], "Stuart Brockwell"
> ><[EMAIL PROTECTED]>
> > > >Subject: Re: Performance Comparision between Linux OS Firewall and
> >Cisco
> > > >PIX 525
> > > >Date: Sat, 24 Mar 2001 20:02:26 -0800
> > > >
> > > >Sean,
> > > >
> > > >Comments imbedded:
> > > >
> > > >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> > > >
> > > > > Hi Sean,
> > > > > I am a Linux head my self, and one of our firewalls is in
fact
> > > > > running
> > > > > on a Linux box. The only problem with this type of firewall is
that
> > > > > you inherit all of the known bugs that the software has. Given
that
> > > > > the source code to Linux is widely available, you have a lot of
very
> > > > > talented people out there who know these holes and are able to
> >exploit
> > > > > them very easily.
> > > >
> > > >It also means that there are a lot of talented people who are looking
> > > >at the code to make sure that any holes are patched. In fact, when
> > > >new exploits are found, Linux is usually the fastest platform to have
> > > >a patch available. Compare this to having to wait weeks for vendor
> > > >patches or having to prove to a vendor that a problem exists.
> > > >
> > > >Also, a service can only be exploited if it is running. A properly
> > > >configured firewall doesn't run unecessary services, this makes it
> > > >very difficult to exploit. Essentially, it would come down to trying
> >to
> > > >DoS it or running a password guessing program against it to get
> > > >remote access.
> > > >
> > > >
> > > > If you
> > > > > maintain your own Linux firewall, you will need to continuously
look
> > > > > for the latest bug fixes to install on your Linux box to address
the
> > > > > latest round of holes that have been released.
> > > >
> > > >If the Linux firewall is properly setup, the only services running on
> >it
> > > >are ipchains and SSH. This means that you have to be aware of 2
> > > >services. While there could always be a local exploit, if only
> > > >trusted admins have access, the trouble with keeping up patches
> > > >is minimal. It is certainly no more trouble than keeping up with
> > > >bugs on a vendor platform.
> > > >
> > > > >
> > > > > Cisco and companies such as Watch Guard closely guard their source
> > > > > code, often you can elect to take on a maintenance contract with
the
> > > > > firewall where you recieve all the latest fixes for a 12 month
> >period
> > > > > (this is what we did). As this is their bread and butter, they
> >spend
> > > > > a lot of time looking for holes and fixes to known bugs.
> > > > >
> > > >
> > > >While true, this doesn't mean that their code will have fewer bugs
> > > >or that the bugs will be patched quicker. There is a very large
> > > >support community for Linux that is very technical. Most bugs are
> > > >patched in a matter of days, sometimes hours.
> > > >
> > > >
> > > > > the main plus for each of
> > > > > the commercial packages is that there is large support base, where
> >as
> > > > > skilled Linux admin staff who can lock down a firewall are very
few
> > > > > and far between.
> > > >
> > > >This is simply not true. There is a very large community of Linux
> > > >developers and admins, and most of them are very knowledgable.
> > > >There are good mailing lists and _plenty_ of good Linux
> > > >security/firewall books, articles, web sites, etc. available.
> > > >
> > > >Locking down a Linux box is not rocket science. That is FUD that
> > > >is propagated by vendors who want to sell product. It's not hard to
> > > >configure a Linux box to be secure, the difficulty comes in running
> > > >lots of services and providing access to users. If you have a box
> > > >that runs web, ftp, smtp, nfs, etc., then it becomes much harder to
> > > >secure, but none of these services should be running on a firewall.
> > > >
> > > >The bottom line is that there are several good commercial firewalls,
> > > >but that doesn't mean that a Linux box cannot serve as a good, low-
> > > >end alternative. Especially if cost is one of the main decision
> > > >factors.
> > > >
> > > >-Kent
> > > >
> > > >
> > > >
> > > >
> > > >_________________________________
> > > >FAQ, list archives, and subscription info:
> > > >http://www.groupstudy.com/list/cisco.html
> > > >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]