[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Smooth wall - more detailed



On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:

> >
> > In any case, there is a major drawback for both:
> >
> > Contrary to special "hardened" distros (such as Smoothwall
> > and Astaro),
> > SuSE and Mandrake may be easier to break into.
> >
>
> This is debatable. If you disable all network services except what is
> vital for the firewall, It all comes down to the quality of your
> firewall rules and security of Linux kernel. Since you can setup
> firewall rules easily on Smoothwall and Astaro, this is a plus. OTOH
> novice can create firewall rules that offer little security, and he
> won't know about it. Creating rules manually requires a deep dive into
> network security and tcp/ip inner working and user learns something
> about firewalls along the road.
>
> These "hardened" distros simply have many services disabled comparing to
> regular distro, and offer some add-ons. Two things that I like on Astaro
> is AVP antivirus checking all incoming mail for viruses/trojans, all set
> up automatically, and extensive logging and reporting, available from
> web interface.

The virus scanner is one of the things that actually cost money.

Also, putting a mail gateway (with a virus scanner!) on a gateway machine
means you need a much beefier machine there (If you're talking about
anything bigger than a small office, it should probably be on a seperate
machine)

>
>
> > In addition, most of the "firewall-dedicated" distros, are
> > read-only (i.e.
> > comes on a bootable CD, or downloaded and burned on a CDR, while their
> > configuration resides on a floppy, that is usually
> > write-protected (and is
> > enabled for writing only during re-configurations).
> >
>
> And how exactly this is a plus? If you get rooted, it will be that way
> till the machine is rebooted (my firewall machine's uptime is 7 months
> now). And when rebooted, you will loose all traces of the attack. So it
> will probably go unnoticed. Granted, it's easy to recover from attack,
> but as long as you don't fix the security flaw that let the intruder get
> in, you don't prevent future attacks.

And fixing a security flaw is harder (if this is a CD-based distro), as
you need to re-create the image (or download the whole new image), burn
it, and reboot the system to apply the fix.

Hopefully there are less fixes, but still this is a higher response-time.

> > I don't believe that this is the case with Mandrake/SuSE, so
> > they don't
> > make them really "running for their money".
> >
>
> Quality backup and regular automatic or manual integrity audits are
> enough, IMHO.
>
>
> > A mid-summary: To make things easier, let me summarize the
> > criteria for a
> > Linuxfirewall to be ideal:
> >
> > * free (where Astaro is inferior)
> > * based on a distro dedicated for being a firewall (where Mdk and SuSE
> > are inferior), preferrably - read-only (except for the configuration
> > which is writable only when needed, and an optional logging)

When it is not based on a standard distro, then someone else has to do
_all_ the security audits himself.

A stripped-down standard distro, which is kept up-to-date also helps.

> > * 2.4.* based (i.e. support for
> > iptables/netfilter/stateful-inspection)
> > * GUI (where most of the mini-distros are inferior)
> > * support all the important features (it may surprise some of you, but
> > some "firewall" packages don't support more than 2
> > interfaces, i.e. no
> > support for DMZ!)
> >
> > Among those 5 points, most of the "competitors" meet 4, but none meets
> > all the 5, as far as I know (nobody is perfect...).
> >
>
>
> For me, I've found that making custom install of RedHat, leaving 95% of
> the stuff out and configuring firewall rules manually is good enough.
> You mileage may vary.

My main problem here was how to allow a relatively non-expert do as much
of the maintinance as possible.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il