OK this is messed up. I sent you a list of possible things that could
happen and you're still going off on me. I was trying to allow you to make
precautions against this stuff but you're going nuts here. I don't want an
argument, I'm trying to help. I LIKE Linux.
More inline comments (hopefully the last).
----- Original Message -----
From: "Sean Young" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, March 26, 2001 3:19 PM
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX
525
> Sigh...inline comments
>
>
> >From: "Allen May" <[EMAIL PROTECTED]>
> >To: "Sean Young" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
> > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX 525
> >Date: Mon, 26 Mar 2001 14:55:57 -0600
> >
> >Sigh...inline comments:
> >
> >----- Original Message -----
> >From: "Sean Young" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>;
> ><[EMAIL PROTECTED]>
> >Sent: Monday, March 26, 2001 2:42 PM
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX
> >525
> >
> >
> > > Allen,
> > > If SSH service is not open on the outside interface, how do you expect
> > > to troubleshoot the problem when there is problem with the Firewall?
> >VPN, dial-up modem, terminal server, ACLs, etc. If they find your
password
> >or someone knows it & get in, does IDS tell you?
>
> Dial-up modem. Istn't there a war-dialer that can hack your system.
> Another thing, isn't the VPN also has a public interface as well? what
> about if your VPN has been compromised? Ever thought about that?
I'm a security administrator. Of course I've thought of that.
1) No it does not have a public interface. It has a virtual IP with only
vpn ports opened to it. ACL only allows certain source IP's to even access
it. You have to have username/password just to get into VPN and even then,
TACACS+ or RADIUS limits the commands you can type from that point. It's an
added layer of security that they have to get passed before even being able
to SSH or telnet to the firewall. This forces them to have 3
username/password combinations and get through ACL without disabling the
account they're trying to use. This is simply another layer of security you
would have.
2) War dialers don't do any good when it's AAA-authentication with TACACS+.
The account is disabled after X attempts. See following comment about IDS
as well. Besides, why use that argument when you've got SSH wide open to
the entire internet? Also how are they going to get your phone #? Same way
they would have to get the password. Again, another layer of security I
simply suggested.
3) IDS tells me when a VPN user establishes a connection with the firewall
when configured. That's what I said in the first email. If you have it,
set it up to notify you even of successful attempts. It's another layer of
security you could possibly use instead of just SSH enabled to the world.
>
> >
> > > Tell me this, how can you troubleshoot a PIX remotely when there is
> > > problem? My employer is certainly not going to fly me out-of-state to
> >fix
> >a
> > > minor problem.
> >See above answer.
> >
> > >Furthermore, can you absolutely guarantee me, in writing,
> > > that the Cisco PIX
> > > can never be compromised?
> >No guarantee but it's claimed to have never been compromised unless the
> >attacker had inside access (physical, vpn, etc) and knew the password and
> >the user was careless enough to not implement ACL. On the other hand,
read
> >up on security on Linux for yourself. Redhat was the #1 hacked operating
> >system (even surpassed Windows last I read).
>
> Ever heard of Linux Router Project. What make you think that I am running
> RedHat? Ever heard of NetBSD? It is even more secure than
> PIX
I mentioned vulnerabilites in Redhat as an example not knowing what you were
using. Regardless, it's a full blown OS that when compromised, someone can
install any service they like. Please send the link stating it's more
secure than PIX. I want to see how someone can install a packet sniffer on
a PIX when they know my password.
>
> >
> > >Another thing, what makes you think that I am
> > > also running other services besides Firewall features on Linux. If
you
> > > read my email carefully, you also notice that I only SSH and netfilter
> > > (aka iptables) on the Firewall
> >I read that part. Thats why I said root or sudo access allows a user to
> >install other services. A Cisco IOS does not. It's easy to add a new
> >service if you have access to do it. You can even install via ftp.
> >
> Now how do you plan getting my root password?
I'm not. But it's easy. You the only one that knows it? Is it written
down somewhere? It's amazing what disgruntled employees would do for a nice
little check from an outside source. That's a risk involved with any
operating system or piece of hardware. However, with ACL allowing certain
source IPs, how are they going to use it on the PIX? You have the outside
interface SSH enabled. I was simply stating that this is dangerous and you
should consider another way in. If it loses IP configuration, how are you
going to SSH to it to fix it? That's where a modem would come in handy.
>
> > >Your reason is based purely on FUD
> > > (Fear, Uncertainty and Doubt).
> >It's based on 12 years experience and working as security administrator
at
> >an ISP where we've had many DSL users complain about their Linux boxes
> >being
> >hacked. Some find out they've been hacked after someone on the internet
> >had
> >reports of porn sites running on their compromised system. Users who
> >purchased a PIX and allowed us to manage it have not been hacked even one
> >time so far.
>
> That is because they don't know what they are doing. How do you know
> that Cisco PIX doesn't have any security holes. Did you read about Cisco
> IOS devices having security regarding ISN security hole in it? What
> make you think that PIX doesn't have this problem? Based on what the
> vendors tell you? I would take their word with a grain of salt.
Again, PIX does not have a full blown operating system. That was my entire
argument to begin with. Cisco does have holes discovered occasionally. All
security holes discovered have been fixed promptly and as far as I know,
there haven't been any new ones found.
> >
> >I ain't skeered ;) I was trying to let you know the vulnerabilities you
> >might have and allow you to take precautions. If you're going to be that
> >way about it, you can learn on your own the hard way when you have to fly
> >out there to fix a compromised system or failed hard drive. From your
> >reply
> >you either didn't read my reply carefully or didn't even understand it.
> >
> Every systems has it good and bad. It is up to us to decide. If I am
> educated about Linux and its capabilities and limitation, I think the
> system can be a very effective Firewall.
>
Of course it can and I never said it couldn't. But it's still a full blown
OS with a hard drive that can fail. I know other hardware can fail in
either system, but a hard drive is the only thing besides the fan that has
moving parts. Also even as a good Linux admin, you should be open minded to
people educated in security to secure your box even further. Just because
someone isn't using what you use and tells you to watch for certain caveats
doesn't mean they're against you. This is a group of individuals who help
each other out and I try to do my part. If you don't want it just say so &
learn on your own.
> Just my 2 cents.
> Sean
> > >
> > > Sean
> > >
> > >
> > > >From: "Allen May" <[EMAIL PROTECTED]>
> > > >To: "Sean Young" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>,
> > > > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> > > >Subject: Re: Performance Comparision between Linux OS Firewall and
> >Cisco
> > > >PIX 525
> > > >Date: Mon, 26 Mar 2001 14:29:34 -0600
> > > >
> > > >Is the outside interface still open to SSH connections? If so & it's
> > > >compromised, Linux is a full blown operating system that, when
> >compromised,
> > > >can have ANY program designed for Linux installed. Can you imagine
> > > >something like a packet analyzer grabbing all your passwords and
> >sending
> > > >them out over the net to someone else? Ewww. That's my #1 reason
for
> > > >going
> > > >with something like a PIX. Just make sure you're IDS is set to
notify
> >even
> > > >in the event of a SUCCESSFUL connection. I've seen people who set it
> >up
> > > >for
> > > >unsuccessful attempts only.
> > > >
> > > >I hope that guy wasn't fired BECAUSE he recommended the Cisco
solution.
> > > >That's totally a matter of point of view on that decision & his
wasn't
> > > >wrong..neither was the Linux choice. Some situations call for one
> >while
> > > >others call for the other.
> > > >
> > > >Oh and keep a copy of the correctly configured drive with all
settings
> >on
> > > >hand. A hard drive is much more prone to failure than RAM/ROM just
due
> >to
> > > >the moving parts involved.
> > > >
> > > >Allen
> > > >----- Original Message -----
> > > >From: "Sean Young" <[EMAIL PROTECTED]>
> > > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > > ><[EMAIL PROTECTED]>
> > > >Sent: Sunday, March 25, 2001 3:05 PM
> > > >Subject: Re: Performance Comparision between Linux OS Firewall and
> >Cisco
> > > >PIX
> > > >525
> > > >
> > > >
> > > > > Ken,
> > > > > Thank you very much for the advice. This past Friday, my company
> >has
> > > > > decided to use Linux as our company Firewall. Furthermore, we've
> > > >decided
> > > > > that this Firewall will be running kernel 2.4.2 with only two
> >services
> > > > > running on it, SSH and netfilter (aka iptables). I've tested
kernel
> > > > > 2.4.2 in the lab and notice it performs better than kernel 2.2.x.
> >I've
> > > >also
> > > > > performed various intrusion detection tests on the box using
> > > > > Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to
break
> > > > > it. The linux box is rock-solid. I am also running portsentry
> >(IDS)
> > > > > on the Firewall itself.
> > > > >
> > > > > Also, we decide to running our squid proxy server on another linux
> >box
> > > > > to provide transparent caching for our internal users. As far as
> >VPN
> >is
> > > > > concerns, we are going to implement FreeS/WAN on another box. I
> >think
> > > > > in the long run, it is going to save the company a lot of money.
We
> > > > > end up not buying the PIX and web-caching engine from Cisco. Oh,
> >the
> > > > > networking guy in our group who recommends Cisco PIX and Cisco
web-
> > > > > caching engine as a solution, he has been fired. Go figure.
> > > > >
> > > > > Regards,
> > > > > Sean
> > > > > P.S. Priscilla, why not implementing TRANSPARENT caching by using
> >squid
> > > > > to speed up internet connection for your users? Squid is free and
> >very
> > > > > secure and easy to use.
> > > > >
> > > > > >From: [EMAIL PROTECTED]
> > > > > >Reply-To: [EMAIL PROTECTED]
> > > > > >To: [EMAIL PROTECTED], "Stuart Brockwell"
> > > ><[EMAIL PROTECTED]>
> > > > > >Subject: Re: Performance Comparision between Linux OS Firewall
and
> > > >Cisco
> > > > > >PIX 525
> > > > > >Date: Sat, 24 Mar 2001 20:02:26 -0800
> > > > > >
> > > > > >Sean,
> > > > > >
> > > > > >Comments imbedded:
> > > > > >
> > > > > >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> > > > > >
> > > > > > > Hi Sean,
> > > > > > > I am a Linux head my self, and one of our firewalls is
in
> >fact
> > > > > > > running
> > > > > > > on a Linux box. The only problem with this type of firewall
is
> >that
> > > > > > > you inherit all of the known bugs that the software has.
Given
> >that
> > > > > > > the source code to Linux is widely available, you have a lot
of
> >very
> > > > > > > talented people out there who know these holes and are able to
> > > >exploit
> > > > > > > them very easily.
> > > > > >
> > > > > >It also means that there are a lot of talented people who are
> >looking
> > > > > >at the code to make sure that any holes are patched. In fact,
when
> > > > > >new exploits are found, Linux is usually the fastest platform to
> >have
> > > > > >a patch available. Compare this to having to wait weeks for
vendor
> > > > > >patches or having to prove to a vendor that a problem exists.
> > > > > >
> > > > > >Also, a service can only be exploited if it is running. A
properly
> > > > > >configured firewall doesn't run unecessary services, this makes
it
> > > > > >very difficult to exploit. Essentially, it would come down to
> >trying
> > > >to
> > > > > >DoS it or running a password guessing program against it to get
> > > > > >remote access.
> > > > > >
> > > > > >
> > > > > > If you
> > > > > > > maintain your own Linux firewall, you will need to
continuously
> >look
> > > > > > > for the latest bug fixes to install on your Linux box to
address
> >the
> > > > > > > latest round of holes that have been released.
> > > > > >
> > > > > >If the Linux firewall is properly setup, the only services
running
> >on
> > > >it
> > > > > >are ipchains and SSH. This means that you have to be aware of 2
> > > > > >services. While there could always be a local exploit, if only
> > > > > >trusted admins have access, the trouble with keeping up patches
> > > > > >is minimal. It is certainly no more trouble than keeping up with
> > > > > >bugs on a vendor platform.
> > > > > >
> > > > > > >
> > > > > > > Cisco and companies such as Watch Guard closely guard their
> >source
> > > > > > > code, often you can elect to take on a maintenance contract
with
> >the
> > > > > > > firewall where you recieve all the latest fixes for a 12 month
> > > >period
> > > > > > > (this is what we did). As this is their bread and butter,
they
> > > >spend
> > > > > > > a lot of time looking for holes and fixes to known bugs.
> > > > > > >
> > > > > >
> > > > > >While true, this doesn't mean that their code will have fewer
bugs
> > > > > >or that the bugs will be patched quicker. There is a very large
> > > > > >support community for Linux that is very technical. Most bugs
are
> > > > > >patched in a matter of days, sometimes hours.
> > > > > >
> > > > > >
> > > > > > > the main plus for each of
> > > > > > > the commercial packages is that there is large support base,
> >where
> > > >as
> > > > > > > skilled Linux admin staff who can lock down a firewall are
very
> >few
> > > > > > > and far between.
> > > > > >
> > > > > >This is simply not true. There is a very large community of
Linux
> > > > > >developers and admins, and most of them are very knowledgable.
> > > > > >There are good mailing lists and _plenty_ of good Linux
> > > > > >security/firewall books, articles, web sites, etc. available.
> > > > > >
> > > > > >Locking down a Linux box is not rocket science. That is FUD that
> > > > > >is propagated by vendors who want to sell product. It's not hard
> >to
> > > > > >configure a Linux box to be secure, the difficulty comes in
running
> > > > > >lots of services and providing access to users. If you have a
box
> > > > > >that runs web, ftp, smtp, nfs, etc., then it becomes much harder
to
> > > > > >secure, but none of these services should be running on a
firewall.
> > > > > >
> > > > > >The bottom line is that there are several good commercial
> >firewalls,
> > > > > >but that doesn't mean that a Linux box cannot serve as a good,
low-
> > > > > >end alternative. Especially if cost is one of the main decision
> > > > > >factors.
> > > > > >
> > > > > >-Kent
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >_________________________________
> > > > > >FAQ, list archives, and subscription info:
> > > > > >http://www.groupstudy.com/list/cisco.html
> > > > > >Report misconduct and Nondisclosure violations to
> >[EMAIL PROTECTED]
> > > > >
> > > > > _________________________________________________________________
> > > > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > > > >
> > > > > _________________________________
> > > > > FAQ, list archives, and subscription info:
> > > >http://www.groupstudy.com/list/cisco.html
> > > > > Report misconduct and Nondisclosure violations to
> >[EMAIL PROTECTED]
> > > > >
> > > >
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >
> >
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
