three solutions for one Linux box

Hello,

in your opinion, for one client Linux box, with always-on ADSL (dynamic
address), is more safe:

1) only software firewall

2) software firewall + hardware firewall integrated in an ADSL router
(Netgear, etc, etc.) with never updated firmware

3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc.
etc), always updated, in an old computer

Is the third solution an excessive one?

Thank you

Re: three solutions for one Linux box

john toynbee wrote:
> in your opinion, for one client Linux box, with always-on ADSL (dynamic
> address), is more safe:
>
> 1) only software firewall
>
> 2) software firewall + hardware firewall integrated in an ADSL router
> (Netgear, etc, etc.) with never updated firmware
>
> 3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc.
> etc), always updated, in an old computer

Define "safe". From which threats should your solution protect you?

Assuming you want protection from attacks against open ports:

- Solution 1 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date).
- Solution 2 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date). The router might be an additional line of defense, but
outdated firmware effectively prevents that, because it's likely to
contain exploitable bugs.
- Solution 3 is safe, as long as its ruleset isn't b0rken and the
software firewall doesn't have known vulnerabilities (i.e. keep it
up-to-date). The router is an additional line of defense as long as
its ruleset isn't b0rken and it doesn't have any known vulnerabilites
(i.e. keep it up-to-date).

Besides, there's no such thing as a "hardware firewall". That kind of
firewall is also implemented in software, only it runs on a dedicated
operating system (which hopefully has fewer lines of code and thus fewer
bugs than a general purpose operating system) on dedicated hardware
(which is likely to consume less power than "normal" PC hardware).

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: three solutions for one Linux box

On Mon, 03 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
, john toynbee wrote:

>in your opinion, for one client Linux box, with always-on ADSL (dynamic
>address), is more safe:

Define "safe". What are you trying to protect against? Stupid users?
No solution is safe. An intelligently configured system with a user who
is not clicking on websites that say "R00t Me!!!" goes a long way in
preventing problems.

[compton ~]$ netstat -tuan
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:21 192.168.1.0:* LISTEN
tcp 0 0 0.0.0.0:22 192.168.1.0:* LISTEN
[compton ~]$

This is a *nix box on an internal LAN, and the only thing open is SSH
and FTP, and only from the LAN address range. No firewall needed,
although there is an external firewall allowing NAT access out (but
not in).

>1) only software firewall

Kept up to date - that will work fine.

>2) software firewall + hardware firewall integrated in an ADSL router
>(Netgear, etc, etc.) with never updated firmware

The only "hardware firewall" is a network (Ethernet) cable that has
no wires connected. ALL firewalls have software, and all should be
kept up to date to avoid problems.

>3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc.
>etc), always updated, in an old computer

What is your Linux distribution supposed to be doing? IPCop is a
cut-down Linux distribution that is intended to operate as a firewall,
and _only_ as a firewall. It has some advanced firewalling features,
including VPNs using IPSec. Devil-Linux is a distribution which boots
and runs completely from CDROM. The configuration can be saved to a
floppy diskette or a USB pen drive. Devil Linux was originally intended
to be a dedicated firewall/router but now Devil-Linux can also be used
as a server for many applications (which is an incredibly stupid idea).
A firewall box is NOT a workstation, and should not be a server - the
principle is the more "stuff" you have running on a firewall, the more
you have to work to configure it safely. If it's not installed, it can
not be exploited.

>Is the third solution an excessive one?

In Linux (and other UNIX-like operating systems such as the *BSDs), the
firewall is part of the kernel. Tools like 'iptables', 'ipfw' or the
fancy GUI webpage used in IPCop are used to _configure_ that firewall.
They are NOT the firewall itself.

Firewalls can not protect stupidity. Remember Windoze 3.1? You could
not hack into windoze3.1 over the network (it didn't have a network
capability), yet there were thousands of worms, trojans, viruses and
other mal-ware installed by users who were determined to do stupid
things. Are your users any better?

Old guy