Re: One for the Security Guru's

Tony Gale (gale@syntax.dstl.gov.uk)
24 Oct 2002 11:01:04 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David S. Miller: "Re: feature request - why not make netif_rx() a pointer?"
Previous message: David S. Miller: "Re: bcm5700"
Next in thread: Gerhard Mack: "Re: One for the Security Guru's"
Reply: Gerhard Mack: "Re: One for the Security Guru's"

--=-sm/k8ySWntfSdaeozWto
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2002-10-24 at 10:38, Henning P. Schmiedehausen wrote:
> Gerhard Mack <gmack@innerfire.net> writes:
>=20
> >Actually at the place that just went bankrupt on me I had a Security
> >consultant complain that 2 of my servers were outside the firewall. He
> >recommended that I get a firewall just for those 2 servers but backed of=
f
> >when I pointed out that I would need to open all of the same ports that
> >are open on the server anyways so the vulnerability isn't any less with
> >the firewall.
>=20
> So you should've bought a more expensive firewall that offers protocol
> based forwarding instead of being a simple packet filter.
>=20
> packet filter !=3D firewall. That's the main lie behind most of the
> "Linux based" firewalls.
>=20
> Get the real thing. Checkpoint. PIX. But that's a little
> more expensive than "xxx firewall based on Linux".
>=20

Thats not entirely accurate, or fair. A packet filter is a type of
Firewall (or can be). A Firewall is a means to implement a security
policy, usually specifically a network access policy. A Packet Filter,
including a ""Linux based" firewall" is a perfectly acceptable means of
achieving that goal, if it meets the policy requirements.

Ref. http://csrc.nist.gov/publications/nistpubs/800-10/ (over 7 years
old, but still highly relevant).

Most commercial firewalls are very bad at protecting servers offering
Internet services, they aren't designed to do it.

-tony

--=-sm/k8ySWntfSdaeozWto
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUAPbfE4B/0GZs/Z0FlAQIwsQP/cgsyryYs31o6/jxA+/mbpYutZ9Ya8ijA
RxWN7qlBuICaRGqhnuw8QNEfXHAjNiQ7RwgguhrcsSQsu5ZOKAB6v1g23BdCOr04
Z/hQXNoo/vyiQ0jPeAxQ/9K+7dUPBhL6bWWOkGtc5TMoODHS2dJXn0rHFBMh9sFD
3jtHg9FTih4=
=LsCB
-----END PGP SIGNATURE-----

--=-sm/k8ySWntfSdaeozWto--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David S. Miller: "Re: feature request - why not make netif_rx() a pointer?"
Previous message: David S. Miller: "Re: bcm5700"
Next in thread: Gerhard Mack: "Re: One for the Security Guru's"
Reply: Gerhard Mack: "Re: One for the Security Guru's"