[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Smooth wall - more detailed
- To: "'Linux-IL mailing list'" <linux-il(at-nospam)linux.org.il>
- Subject: RE: Smooth wall - more detailed
- From: "Haim Gelfenbeyn" <rnews(at-nospam)hageltech.com>
- Date: Thu, 30 Aug 2001 10:19:54 +0300
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Importance: Normal
- In-Reply-To: <3B8DD131.AC52688C@netmask.it>
- Organization: Hagel Technologies
- Reply-To: <haim(at-nospam)hageltech.com>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
>
> In any case, there is a major drawback for both:
>
> Contrary to special "hardened" distros (such as Smoothwall
> and Astaro),
> SuSE and Mandrake may be easier to break into.
>
This is debatable. If you disable all network services except what is
vital for the firewall, It all comes down to the quality of your
firewall rules and security of Linux kernel. Since you can setup
firewall rules easily on Smoothwall and Astaro, this is a plus. OTOH
novice can create firewall rules that offer little security, and he
won't know about it. Creating rules manually requires a deep dive into
network security and tcp/ip inner working and user learns something
about firewalls along the road.
These "hardened" distros simply have many services disabled comparing to
regular distro, and offer some add-ons. Two things that I like on Astaro
is AVP antivirus checking all incoming mail for viruses/trojans, all set
up automatically, and extensive logging and reporting, available from
web interface.
> In addition, most of the "firewall-dedicated" distros, are
> read-only (i.e.
> comes on a bootable CD, or downloaded and burned on a CDR, while their
> configuration resides on a floppy, that is usually
> write-protected (and is
> enabled for writing only during re-configurations).
>
And how exactly this is a plus? If you get rooted, it will be that way
till the machine is rebooted (my firewall machine's uptime is 7 months
now). And when rebooted, you will loose all traces of the attack. So it
will probably go unnoticed. Granted, it's easy to recover from attack,
but as long as you don't fix the security flaw that let the intruder get
in, you don't prevent future attacks.
> I don't believe that this is the case with Mandrake/SuSE, so
> they don't
> make them really "running for their money".
>
Quality backup and regular automatic or manual integrity audits are
enough, IMHO.
> A mid-summary: To make things easier, let me summarize the
> criteria for a
> Linux firewall to be ideal:
>
> * free (where Astaro is inferior)
> * based on a distro dedicated for being a firewall (where Mdk and SuSE
> are inferior), preferrably - read-only (except for the configuration
> which is writable only when needed, and an optional logging)
> * 2.4.* based (i.e. support for
> iptables/netfilter/stateful-inspection)
> * GUI (where most of the mini-distros are inferior)
> * support all the important features (it may surprise some of you, but
> some "firewall" packages don't support more than 2
> interfaces, i.e. no
> support for DMZ!)
>
> Among those 5 points, most of the "competitors" meet 4, but none meets
> all the 5, as far as I know (nobody is perfect...).
>
For me, I've found that making custom install of RedHat, leaving 95% of
the stuff out and configuring firewall rules manually is good enough.
You mileage may vary.
Haim.
> --
> Eli Marmor
> marmor@netmask.it
> CTO, Founder
> Netmask (El-Mar) Internet Technologies Ltd.
> __________________________________________________________
> Tel.: +972-9-766-1020 8 Yad-Harutzim St.
> Fax.: +972-9-766-1314 P.O.B. 7004
> Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
>
>
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il