Router/Firewall Recommendation
Rodolfo J. Paiz
rpaiz at simpaticus.com
Thu Jun 24 05:28:20 UTC 2004
At 10:48 AM 6/23/2004, Otto Haliburton wrote:
>A hardware firewall is practically
>inpenetratable because the outside world never knows the ip address of
>computers behind the firewall, were as the first level is penetrated
>automatically by a none hardware firewall, you have to think about this a
>little to get what I mean.
Otto, your thoughts are well-reasoned but totally wrong, since you think of
a "hardware" firewall as something made of brick with no holes.
All "hardware" firewalls (all of them, no matter how cheap or expensive or
anything) run software inside them! All of them. Cisco, Firewall/1,
Linksys, Netgear... all of them. It just happens that the code is:
a) embedded in firmware, so no hard drive or moving parts (good)
b) hidden from you, so you cannot know if there are any mistakes
in the code (bad)
c) not accessible to you, so you cannot make changes (bad)
Note specifically that some Linksys router/firewalls run on Linux, as does
Firewall/1 if I recall correctly. There is *always* code and software, and
the hardware firewalls are *not* impenetrable. In fact IIRC nearly every
(perhaps every?) major firewall maker of any type has had vulnerabilities
discovered and exploited in their devices. No code is perfect, no firewall
is perfect.
All machines can be hacked, and if your Linksys is ever
hacked/cracked/exploited you'll NEVER KNOW IT. And if there *is* a
vulnerability discovered, and publicized, and Linksys (or whomever) chooses
not to fix or to delay fixing that hole then there's nothing you can do
about it.
Please don't take this to mean that I think those little blue boxes are
bad... oh no, not at all. I rather like them, and in fact I have
recommended them to a few dozen people. They work and they generally do so
pretty well. For some people, in some cases. Linux or other good software
firewalls also work and work well, usually for different people in
different circumstances. All I mean to do is to thoroughly cast out those
demons who whisper impenetrability in your ear.
As for the "first level is penetrated automatically" thing, well...
bullshit. Sorry to be so direct, but I challenge you or anyone to setup a
hardened Linux firewall with NAT or masquerading and proper controls and
"penetrate" the thing in any way. NAT and masquerading are great things.
They work well. But they are not the only things, and they are not perfect
things. Multiple layers of defense always, multiple tools, and the
reasonable understanding of the pros/cons of each approach.
Cheers,
--
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com
More information about the redhat-list
mailing list