Router/Firewall Recommendation

Rodolfo J. Paiz rpaiz at simpaticus.com
Thu Jun 24 05:28:20 UTC 2004 

At 10:48 AM 6/23/2004, Otto Haliburton wrote:
>A hardware firewall is practically
>inpenetratable because the outside world never knows the ip address of
>computers behind the firewall, were as the first level is penetrated
>automatically by a none hardware firewall, you have to think about this a
>little to get what I mean.

Otto, your thoughts are well-reasoned but totally wrong, since you think of 
a "hardware" firewall as something made of brick with no holes.

All "hardware" firewalls (all of them, no matter how cheap or expensive or 
anything) run software inside them! All of them. Cisco, Firewall/1, 
Linksys, Netgear... all of them. It just happens that the code is:

         a) embedded in firmware, so no hard drive or moving parts (good)

         b) hidden from you, so you cannot know if there are any mistakes 
in the code (bad)

         c) not accessible to you, so you cannot make changes (bad)

Note specifically that some Linksys router/firewalls run on Linux, as does 
Firewall/1 if I recall correctly. There is *always* code and software, and 
the hardware firewalls are *not* impenetrable. In fact IIRC nearly every 
(perhaps every?) major firewall maker of any type has had vulnerabilities 
discovered and exploited in their devices. No code is perfect, no firewall 
is perfect.

All machines can be hacked, and if your Linksys is ever 
hacked/cracked/exploited you'll NEVER KNOW IT. And if there *is* a 
vulnerability discovered, and publicized, and Linksys (or whomever) chooses 
not to fix or to delay fixing that hole then there's nothing you can do 
about it.

Please don't take this to mean that I think those little blue boxes are 
bad... oh no, not at all. I rather like them, and in fact I have 
recommended them to a few dozen people. They work and they generally do so 
pretty well. For some people, in some cases. Linux or other good software 
firewalls also work and work well, usually for different people in 
different circumstances. All I mean to do is to thoroughly cast out those 
demons who whisper impenetrability in your ear.

As for the "first level is penetrated automatically" thing, well... 
bullshit. Sorry to be so direct, but I challenge you or anyone to setup a 
hardened Linux firewall with NAT or masquerading and proper controls and 
"penetrate" the thing in any way. NAT and masquerading are great things. 
They work well. But they are not the only things, and they are not perfect 
things. Multiple layers of defense always, multiple tools, and the 
reasonable understanding of the pros/cons of each approach.

Cheers,


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com

More information about the redhat-list mailing list