Hack attempts

Scot L. Harris webid at cfl.rr.com
Sat Jul 24 16:56:18 UTC 2004


On Sat, 2004-07-24 at 12:34, Bruno Wolff III wrote:

> I disagree. Hardware routers are pretty much just software routers that
> you don't (generally) have access to the source for, are harder to update,
> and may have backdoors as a recent Netgear model did. The router manufacturers
> have incentive to put in backdoors to cut support costs.
> 
> There are advantages to having a firewall that is on a separate physical
> machine, but hardwall firewalls aren't magically better than locked
> down linux boxes not running public services. They may be cheaper, particularly
> if you don't have an old box sitting around that you can use for a firewall.
> 
> Even having a separate firewall doesn't buy you that much if you are protecting
> linux (or BSD) machines as they have very powerful packet filtering software.
> The main advantages are some convenience bringing up new machines (as they
> can be attached to the network before being fully hardened) and that since
> in theory the firewall should be more secure, it is likely to be able to
> prevent outbound attacks after a compromise which a packet filter on a root
> compromised machine won't be able to do.

For those that have the skills, time, equipment, money, a hardened linux
box may be a good alternative.  For the vast majority of people out
there that really just want to use their system for email, web browsing,
games, and possibly some actual work, a simple dedicated inexpensive
router/firewall will do a very good job.  True it does not have all the
features of a full blown firewall box but then most people don't need
fine grained access controls or the ability to filter or trap specific
packets.

For the price of between 40 and 60 dollars such a firewall can prevent
most if not all attempts at getting at systems sitting behind it.  The
kind of probing mentioned here is just the kind of thing that such a
firewall would deflect very easily.  

Also, using a dedicated single purpose device usually eliminates a large
number of the potential holes that a more complex powerful box may
suffer from if improperly configured.  Less options equal fewer chances
to miss-configure things.

I have started the process to build a linux based firewall.  I figure it
will take several weeks if not more to get something that I feel is
secure enough to actually connect directly to the Internet.  Plus I have
to sort out installation and operation of some very complicated software
(iptables, snort, possibly shorewall, tripwire, etc)  And once I put it
in place I will no doubt have to spend time every day monitoring it to
make sure things continue to work as expected.  At some point I may find
it is not worth it and revert back to a much simpler device.  But I
figure this is a good learning exercise for myself.  

Plus I will continue to run iptables on the systems behind the firewall
along with tripwire as a second line of defense.  

For those that just want to make use of a computer attached to the
Internet via a broadband connection 40 to 60 dollars is well worth it in
most cases.  It not only protects them but keeps their systems from
being used to spam and DDOS other peoples systems.

-- 
Scot L. Harris
webid at cfl.rr.com

If one cannot enjoy reading a book over and over again, there is no use
in reading it at all.
		-- Oscar Wilde 





More information about the fedora-list mailing list