On Sat, 2004-07-24 at 12:34, Bruno Wolff III wrote: > I disagree. Hardware routers are pretty much just software routers that > you don't (generally) have access to the source for, are harder to update, > and may have backdoors as a recent Netgear model did. The router manufacturers > have incentive to put in backdoors to cut support costs. > > There are advantages to having a firewall that is on a separate physical > machine, but hardwall firewalls aren't magically better than locked > down linux boxes not running public services. They may be cheaper, particularly > if you don't have an old box sitting around that you can use for a firewall. > > Even having a separate firewall doesn't buy you that much if you are protecting > linux (or BSD) machines as they have very powerful packet filtering software. > The main advantages are some convenience bringing up new machines (as they > can be attached to the network before being fully hardened) and that since > in theory the firewall should be more secure, it is likely to be able to > prevent outbound attacks after a compromise which a packet filter on a root > compromised machine won't be able to do. For those that have the skills, time, equipment, money, a hardened linux box may be a good alternative. For the vast majority of people out there that really just want to use their system for email, web browsing, games, and possibly some actual work, a simple dedicated inexpensive router/firewall will do a very good job. True it does not have all the features of a full blown firewall box but then most people don't need fine grained access controls or the ability to filter or trap specific packets. For the price of between 40 and 60 dollars such a firewall can prevent most if not all attempts at getting at systems sitting behind it. The kind of probing mentioned here is just the kind of thing that such a firewall would deflect very easily. Also, using a dedicated single purpose device usually eliminates a large number of the potential holes that a more complex powerful box may suffer from if improperly configured. Less options equal fewer chances to miss-configure things. I have started the process to build a linux based firewall. I figure it will take several weeks if not more to get something that I feel is secure enough to actually connect directly to the Internet. Plus I have to sort out installation and operation of some very complicated software (iptables, snort, possibly shorewall, tripwire, etc) And once I put it in place I will no doubt have to spend time every day monitoring it to make sure things continue to work as expected. At some point I may find it is not worth it and revert back to a much simpler device. But I figure this is a good learning exercise for myself. Plus I will continue to run iptables on the systems behind the firewall along with tripwire as a second line of defense. For those that just want to make use of a computer attached to the Internet via a broadband connection 40 to 60 dollars is well worth it in most cases. It not only protects them but keeps their systems from being used to spam and DDOS other peoples systems. -- Scot L. Harris webid@xxxxxxxxxx If one cannot enjoy reading a book over and over again, there is no use in reading it at all. -- Oscar Wilde