Hello,
in your opinion, for one client Linux box, with always-on ADSL (dynamic address), is more safe:
1) only software firewall2) software firewall + hardware firewall integrated in an ADSL router (Netgear, etc, etc.) with never updated firmware
3)software firewall + a firewall Linux distro (IPCop, Devil-Linux, etc. etc), always updated, in an old computerIs the third solution an excessive one?
Thank you
Define "safe". From which threats should your solution protect you?
Assuming you want protection from attacks against open ports:
- Solution 1 is safe, as long as its ruleset isn't b0rken and the software firewall doesn't have known vulnerabilities (i.e. keep it up-to-date).
- Solution 2 is safe, as long as its ruleset isn't b0rken and the software firewall doesn't have known vulnerabilities (i.e. keep it up-to-date). The router might be an additional line of defense, but outdated firmware effectively prevents that, because it's likely to contain exploitable bugs.
- Solution 3 is safe, as long as its ruleset isn't b0rken and the software firewall doesn't have known vulnerabilities (i.e. keep it up-to-date). The router is an additional line of defense as long as its ruleset isn't b0rken and it doesn't have any known vulnerabilites (i.e. keep it up-to-date).
Besides, there's no such thing as a "hardware firewall". That kind of firewall is also implemented in software, only it runs on a dedicated operating system (which hopefully has fewer lines of code and thus fewer bugs than a general purpose operating system) on dedicated hardware (which is likely to consume less power than "normal" PC hardware).
cu
59cobalt
Define "safe". What are you trying to protect against? Stupid users? No solution is safe. An intelligently configured system with a user who is not clicking on websites that say "R00t Me!!!" goes a long way in preventing problems.
[compton ~]$ netstat -tuan Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:21 192.168.1.0:* LISTEN tcp 0 0 0.0.0.0:22 192.168.1.0:* LISTEN [compton ~]$This is a *nix box on an internal LAN, and the only thing open is SSH and FTP, and only from the LAN address range. No firewall needed, although there is an external firewall allowing NAT access out (but not in).
Kept up to date - that will work fine.
The only "hardware firewall" is a network (Ethernet) cable that has no wires connected. ALL firewalls have software, and all should be kept up to date to avoid problems.
What is your Linux distribution supposed to be doing? IPCop is a cut-down Linux distribution that is intended to operate as a firewall, and _only_ as a firewall. It has some advanced firewalling features, including VPNs using IPSec. Devil-Linux is a distribution which boots and runs completely from CDROM. The configuration can be saved to a floppy diskette or a USB pen drive. Devil Linux was originally intended to be a dedicated firewall/router but now Devil-Linux can also be used as a server for many applications (which is an incredibly stupid idea). A firewall box is NOT a workstation, and should not be a server - the principle is the more "stuff" you have running on a firewall, the more you have to work to configure it safely. If it's not installed, it can not be exploited.
In Linux (and other UNIX-like operating systems such as the *BSDs), the firewall is part of the kernel. Tools like 'iptables', 'ipfw' or the fancy GUI webpage used in IPCop are used to _configure_ that firewall. They are NOT the firewall itself.
Firewalls can not protect stupidity. Remember Windoze 3.1? You could not hack into windoze3.1 over the network (it didn't have a network capability), yet there were thousands of worms, trojans, viruses and other mal-ware installed by users who were determined to do stupid things. Are your users any better?
Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.