On Sat, 2004-07-24 at 11:56, Scot L. Harris wrote: > On Sat, 2004-07-24 at 12:34, Bruno Wolff III wrote: > > > I disagree. Hardware routers are pretty much just software routers that > > you don't (generally) have access to the source for, are harder to update, > > and may have backdoors as a recent Netgear model did. The router manufacturers > > have incentive to put in backdoors to cut support costs. > > > > There are advantages to having a firewall that is on a separate physical > > machine, but hardwall firewalls aren't magically better than locked > > down linux boxes not running public services. They may be cheaper, particularly > > if you don't have an old box sitting around that you can use for a firewall. > > > > Even having a separate firewall doesn't buy you that much if you are protecting > > linux (or BSD) machines as they have very powerful packet filtering software. > > The main advantages are some convenience bringing up new machines (as they > > can be attached to the network before being fully hardened) and that since > > in theory the firewall should be more secure, it is likely to be able to > > prevent outbound attacks after a compromise which a packet filter on a root > > compromised machine won't be able to do. > > For those that have the skills, time, equipment, money, a hardened linux > box may be a good alternative. For the vast majority of people out > there that really just want to use their system for email, web browsing, > games, and possibly some actual work, a simple dedicated inexpensive > router/firewall will do a very good job. True it does not have all the > features of a full blown firewall box but then most people don't need > fine grained access controls or the ability to filter or trap specific > packets. > > For the price of between 40 and 60 dollars such a firewall can prevent > most if not all attempts at getting at systems sitting behind it. The > kind of probing mentioned here is just the kind of thing that such a > firewall would deflect very easily. > Not true. If you want ssh access to your box you would have to open up port 22 (or some other custom port) and forward it from the firewall box to your box. Thus this attack style would still reach the "protected box". > Also, using a dedicated single purpose device usually eliminates a large > number of the potential holes that a more complex powerful box may > suffer from if improperly configured. Less options equal fewer chances > to miss-configure things. > > I have started the process to build a linux based firewall. I figure it > will take several weeks if not more to get something that I feel is > secure enough to actually connect directly to the Internet. Plus I have > to sort out installation and operation of some very complicated software > (iptables, snort, possibly shorewall, tripwire, etc) And once I put it > in place I will no doubt have to spend time every day monitoring it to > make sure things continue to work as expected. At some point I may find > it is not worth it and revert back to a much simpler device. But I > figure this is a good learning exercise for myself. > > Plus I will continue to run iptables on the systems behind the firewall > along with tripwire as a second line of defense. > > For those that just want to make use of a computer attached to the > Internet via a broadband connection 40 to 60 dollars is well worth it in > most cases. It not only protects them but keeps their systems from > being used to spam and DDOS other peoples systems. > > -- > Scot L. Harris > webid@xxxxxxxxxx > > If one cannot enjoy reading a book over and over again, there is no use > in reading it at all. > -- Oscar Wilde >