On the GNAC firewall list [EMAIL PROTECTED] wrote:
>Sorry if i made you confused. ok, if you say that ipchains is ok, then I
>would be fine now.
This bothers me.
IP-Chains is a tool. It provides a functionality. It works as
advertised, it does not have any bugs as far as I know (but I
wouldn't). Therefore, one would say that the tool is OK.
In the hands of someone who knows what he wants to do, the tool
may or may not be sufficient for the task, depending on what the
task is.
If you're already using ipchains, then you should already have a
security policy, even if it's as basic as "I can go out, nobody
can come in". If so, you would have tried to implement this in
ipchains, and you would already know whether the tool provides
the functionalities you need. Since you don't ...
I am certain that I can write a set of ipchains rules that
will prevent more attacks than would be prevented by a lot of
state-of-the-art $xxxxx user-authenticating vpn-encrypting
firewalls as installed today on the Internet (while still
keeping the desired functionality of the protected network, of
course). That's not to say I'm some kind of filter guru, that's
to say I'm competent compared to some persons who install a
turn-key firewall. If I and the not-so-hypothetical guy who
doesn't know a lot about network security exchanged firewalls,
I'd still do a better job.
If you'd asked whether ipchains lets you protect yourself
against frag attacks, you'd have received other replies.
Does ipchains let you deny packets based on IP source, IP
destination? MAC source, MAC destination? The presence of
IP options, and can you choose which to let by and which not
to let by? The time of day? The destination port, the source
port? Does ipchains let you detect TCP packets that do not
belong to a correctly established TCP session? Does ipchains do
user authentification? Does ipchains do encryption?
It's all about knowing precisely what you want to do and how.
It's all about knowing how the network works, knowing the
dangers, and having a coherent security policy to safeguard
against the risks while allowing you to work. *Then* you can
ask whether the tool is up to the job.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
