Router/Firewall Recommendation

Otto Haliburton ottohaliburton at comcast.net
Thu Jun 24 07:42:25 UTC 2004 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Rodolfo J. Paiz
> Sent: Thursday, June 24, 2004 2:14 AM
> To: General Red Hat Linux discussion list
> Subject: RE: Router/Firewall Recommendation
> 
> At 12:17 AM 6/24/2004, Otto Haliburton wrote:
> >glad you have the time and energy to do what you do and it works for you.
> >With all the maintenance and stuff, I am glad you have the time to do it
> and
> >I can tell you are deep into it.
> 
> Well, I did spend more time learning... but given any PC with two network
> cards (or one connection to the Internet and one network card) I can be
> online and working in less than 1 hour. That's less time than it would
> take
> to drive to Office Depot and back. As I said, pros and cons on each side.
> 
> >For $40 dollars, I can put my computers
> >behind a firewall and forget about it cause it ain't going to be hacked
> by
> >anybody and it has good performance and reliability.
> 
> History proves conclusively that anyone who says "it can't be done" (and
> especially "it can't be hacked") is eventually proven wrong. Come on...
> the
> NSA, CIA, and many *major* banks worldwide have been hacked, but your
> little blue box is perfect? Right.
> 
> >Are you more secure no.
> 
> I'd be happy to see you provide any evidence for that statement.
> 
> >I mean large
> >corporations would have a perfect solution with your hook up but they are
> >very vulnerable with this setup.
> 
> Please explain where the vulnerability lies, since to you it's obvious.
> Also, when showing any vulnerability, please show how that does not apply
> to the LBB (Little Blue Box since I'm tired of typing that so often and I
> don't want to specifically pick on Linksys). My Linux box is a router,
> firewall, gateway, masquading server with DHCP. So is your LBB. Where do
> you see the vulnerability?
> 
> Also note that this setup has run nicely at my home, my mom's home, my
> wife's three-person office, etc. for years now. Three boxes are over four
> years old. *None* of them require more than 15 minutes a month from me.
> And
> the LBB's I oversee *also* need that time... firmware updates,
> configuration changes, etc.
> 
> >Routers have their problems and in to
> >enable certain features you can open up, but for all practical purposes
> >individuals don't need to do that.  So for the cost factor you can't beat
> >the hardware router.  Cheers!!
> 
> Hold on: you've said that routers have their problems and they are
> vulnerable. You've especially stated that "large corporations" are very
> vulnerable. I see two problems:
> 
>          1. There is a direct contradiction in your statement that routers
> are vulnerable but that your LBB is perfect, since of course your LBB *is*
> a router. Note your last line re "the hardware router."
> 
>          2. There is an implicit contradiction (in what I consider common
> sense) in your statement that large corporations are very vulnerable,
> since
> it sounds like you are saying that a $3,000 box with Firewall/1 on it
> (which is the *only* thing that product line does) or an ICSA-certified
> defense-in-depth firewall is going to be somehow less secure than the $50
> LBB in which you place your undying faith.
> 
> Given that #2 is an interpretation, I might be misreading you.
> 
> I'll also disagree with the "routers have [...] certain features you can
> open up, but for all practical purposes individuals don't need to do
> that."
> First off, the LBB is a router, and it has features you can open, and
> ports
> you can forward. How is that any different? Second, who are you to tell
> all
> individuals what they do and don't need? Ed Wilts just posted recently
> about the web and mail servers he runs behind an LBB... should he shut
> them
> off? Third, since the LBB *does* allow you to open up ports (incoming and
> outgoing) and forward ports to other machines, and since you say the LBB
> is
> perfect, then opening and forwarding ports *must* be secure, right?
> 
> Finally, re the cost factor: you buy N LBB devices for $40 each. I set up
> firewalls that generally cost me $0 each. For N>0, the LBB is going to be
> more expensive in direct cost. Did I have a learning cost? Yes! Say that
> cost was ridiculously high... $4,000 of my time invested. So after 100
> boxes, I'm breaking even monetarily but the reality is that I don't care
> because (a) I wanted to learn it and (b) it didn't cost me $4,000. If
> anything it cost me $500 in time, and I *have* set up easily 25 firewalls
> so far. $500 cost, $1,000 saved... I'm ahead.
> 
> Is everyone going to want to do this my way? No. Are they wrong? No. Is my
> path and solution a valid one? Yes. Am I wrong? No.
> 
> Care to comment? Because you are not proving anything to me so far.
> 
> And Otto, P-L-E-A-S-E!!!!! trim previous posts from your reply. It's
> downright rude to force everyone to read through four pages of prior text
> *again* because you didn't take the time to format a post properly. Keep
> whatever you need, but don't just resend the whole damn thing. It's *not*
> nice.
> 
> 
This is that old linux is better than the world bullshit.  I am saying
something very simple.  There is no learning curve, you spend your money and
you plug and play.  The fact that you were donated some boxes and stuff
good.  Large corporation are defeated as I said when they open their boxes
to the outside world because the penetration occurs when the OS is cracked
and the defense is shutdown.  Also when they setup they may open a port for
a particular piece of software that comes back to bite them in the ass.  In
general, though they are more vulnerable because they are a 'value target',
where as the individual generally is not worth the effort. It is a stretch
to say that what I am saying is contradictory.  I am saying that most of the
problems are due to human error and not to the boxes themselves.  As I said
port forwarding and all that stuff is available in the hardware router and
it is a hell of a lot cheaper to setup. I am not sure how you can easily
defeat nat with simplicity also.  The iptables and other methods are doing
that along with port forwarding and stuff, but you get the same stuff with
the hardware router and you get isolation which is the good thing.  Also you
can chain these router together with hubs and router etc.

Also the standard for this particular list is for bottom post and that has
nothing to do with trimming.  The purpose of the bottom post is to be able
to follow the entire transactions.  I personally believe that top post are
the way to go, because they give the reader the option of following the
transactions or just reading the last post. But at last that has proven to
be a futile effort.

More information about the redhat-list mailing list