How secure does this group consider a well installed and well maintained linux based firewall compared to a canned solution like a PIX? I've mentioned installing a backup linux based firewall to my management that we could put online in case of a hardware failure and the feeling was that it would be too much of a security hole. How can I prove otherwise?
I know of a couple of companies that are using linux as their main solution and they've haven't reported any security issues. My gut feeling was that the linux code was probably more reviewed then many companies main product.
You or anybody else in your organization have any real on the job experience with a Linux solutions? Because if there is none there, then management is making the right call in not allowing that to occur. And the better solution would be a FW appliance in their view.
The operative words there are *you know a couple of companies* and *your gut feeling*. It's not your company or your department. If the company has expertise and trust in FEW appliances, it's not your job to try to change their minds or convince them otherwise. You're asking for trouble.
Wrong you would be. A linux install is a full Operating System with a Firewall Application running on it. An appliance may also run a Linux kernel, but it only has the parts necessary to be a firewall and then it's tested and certified against standards setup by the community.
The difference is that a home grown solution is only as good as the person setting it up, and that means the OS, the Firewall Application, and the quality of the code that has not been certified in the solution that the installer made.
I will trust a certified appliance over a computer/os/app any day.
One thing you seem to be missing is that a properly setup firewall appliance is easier to maintain, less cost, and more stable than a PC based solution of any type. Of the hundreds of firewall appliances we've installed, not one customer has been compromised or exposed to malicious code - it's all blocked by the firewall.
Please don't confuse a firewall with those cheap NAT appliances claiming to be firewalls.
Alot of experience in the company, I personally have installed alot of linux more at the workstation/server level but with a number of external ftp sites. I've port scanned and hardened hosts by turning off services/ports. I'd be more then comfortable ensuring there are zero open external ports and that sort of thing. The question wasn't on my experience that's an unknown to anyone on this list but was on the security of linux firewalls instead.
I hear this all the time, but every 'standalone appliance' is a general purpose computer running a O/S, typically a BSD 4 derivative. With a Linux (or Free/Net/OpenBSD) solution, you can build a firewall with a generic 1U server that almost certainly has higher performance hardware than a typical commercial router. Installing the 'barebones' OS and the corresponding packet filter (e.g. pf or IPTables) is simple. Writing the configuration files is the most work, but that is true of any firewall.
My concern with many of the commercial systems is that they simply have not had the same level of code review as the open source programs. This is especially true of the OpenBSD project. It wasn't long ago that Cisco was forced to admit that they had HARD CODED a password in some routers. This is such a fundimental coding violation (e.g. you would loose points in Programming 101) that it puts into question their entire code auditing process. So, I would argue that the open source solutions are more secure than the closed commercial solutions.
So, I guess I would say that a Linux firewall is fine, but
1) you need to know what you are doing (as you have discussed in detail)
2) a firewall should run on a dedicated computer so as to minimize the attack tree (you can't exploit a bug in software that isn't installed)
If these conditions are acceptable, then I see nothing wrong with a linux firewall.
You are mistaken in that you seem to miss the point that YOUR IMPLEMENTATION does not get any review by an outside source.
Your implementation hopes that you installed the OS in a secure manner, hopes that you setup the Firewall Application properly, hopes that you setup the rules properly.
An appliance is already "Certified" to be compliant by the community, won't have a improperly installed OS, won't have improperly installed firmware/application, and is generally harder to setup bad rules.
I'll agree with the other poster as to what is being said about a certified solution standalone appliance as opposed to a Linux solution. And besides, I don't think the OP is going to convince management otherwise and if he pushes it, it may have more trouble than what it's worth. I have been there and done that.
Sorry for the late replies but working 7/24 is wearing me down, gotta love the high tech wreck :))
On this note and a similar thread, "your implementation" is alot less error prone then the thousands of lines of OS and daemon code. It is alot easier to review 20 lines of a config file then the low level code underneath it.
I did mention in the original post a "well installed and maintained" linux firewall. In my particular case it would be with all external ports shutdown (everything out and nothing in) and scanned with something like nmap.
I agree with all of these points. My original post though did say it would be used as a *backup* firewall. We have a fairly expensive main firewall from a reputable manufacturer the problem here is that it's a single point of failure and we have a fairly important need to maintain our internet connection. The main firewall has a 24 hr replacement time on the maintenance contact.
I think what I'm looking for here is pointers to papers discussing on the security of linux firewalls perhaps discussing the pros and cons.
The you won't find anything that indicates more than this:
A firewall, on ANY OS, is as secure as the underlying OS and the Application acting as the firewall, and is based on the rules created to allow inbound or outbound traffic.
You see, it really doesn't matter what OS, it's a simple fact that you can't just install the OS, you have to remove default services, remove unnecessary components, etc...
Since you are not going to read the zillions of lines of code that make up the remaining OS parts, since you are not going to read the zillions of lines of code that make up the firewall app, you have to find a way to trust the configuration that YOU build.
Checking the rules is simple, it's knowing if they work as expected that is difficult. This is where a certified solution is important.
Yes, I could take the time (which is money) to build a BSD box and strip it, then setup the firewall / proxy functions, but, it would not be a certified solution, so I would be relying on what "I've" learned to assure myself and others that the solution is secure.
I could also purchase a quality appliance or stand alone server from a vendor that has passed certification testing with their solution and be many times more confident that the solution is secure.
If the firewall application is free, there are still many costs associated with it that need to be accounted for - in most cases, a certified appliance becomes cheaper when you actually count all the costs of using a "Free" solution.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.