Re: Wrt54G is a FW appliance?

On Sun, 31 Jul 2005 20:31:58 GMT, Leythos <void@nowhere.lan> wrote:

>>> until that time we/you can hope that it's a firewall.
>>
>> ROTFL! When was the last time you did a penetration test.
>
>Let me explain this one more time, read it slowly:
>
>Just because someone comes out with new firmware for a NAT Router, that
>does not make it a firewall no matter how many "features" the say they
>have added - at the same time, it does not mean it's not a firewall.

Oh yes it does if one can install a stateful filtering policy on it which
passes penetration testing and meets audit requirements for both the client
and the vendor.

A Cisco router with a firewall feature set is a firewall.

A 1U rack server running www.pfsense.org is a firewall.

A Linksys WRT54G/GS running iptables (spit) with stateful connection
tracking is a firewall.

It's running the exact same netfilter code as

http://www.astaro.com/firewall_network_security/firewall_asg
http://www.smoothwall.org/

etc etc etc.

Those are the facts.

> The
>problem is that unless it's been tested and inspected by some reputable
>company/organization, there just isn't any way to have a basis for its
>acceptance as a firewall. Notice I said tested and reputable in the same
>sentence.

You're now attempting to move the goalposts from 'certification' to 'tested
and inspected' by some allegedly reputable company/organisation.

>As for secure networks and testing, I design secure networks for a living,
>and I've been at it for a long time - we've never had a single compromised
>customer in our history and I've never had a compromised network as long
>as I've been around. I don't install unproven technology, don't believe in
>marketing hype, don't believe certification proves that something is
>perfect, but, I will start with certified products as a basis for
>consideration over non-certified products, then test them in our shop,
>test then in the field, and if they pass all of our tests, then I will
>test them with select customers and then finally will start using them in
>customer solutions on a regular basis.

Oh puhleeze, enough with the ex post facto back pedal already.

Back in the real world, PF, IPFilter and IPTables (spit) based firewalling
solutions are used to protect networks globally.

Some of us do have customers who require high packet rate gig-e solutions,
but cannot afford the arm an a leg Crisco would charge them for a 535 +
annual maint.

Some of us do have customers with stringent audit and logging requirements
to comply with double 7 double 9.

IT security professionals with even a modicum of clue, are aware of the
capabilities of all mainstream stateful packet filtering software, not just
that which comes with a pretty ICSA labs sticker + price tag.

>Now, before you get your dander up, I have nothing against the new
>firmware or the NAT routers used in Home solutions, in fact, for home
>users I always recommend a NAT solution as the first barrier device in
>their protection. At the same time, I don't believe something is a
>firewall just because I've read it on Usenet/Web/Print, and I almost never
>believe marketing speak, and I trust my ability to test and confirm a
>secure solution.

You have absolutely no idea what's running inside a wrt54G/GS now do you,
be a man, admit it.

You don't appear to realise that the GS model has for example, hardware
vlan tagging on its 4 port switch.

Functionality which Sveasoft makes available to the end user.

You appear to have no notion that, that little 70 buck box can statefully
packet filter between all 5 fast-e interfaces at pretty close to wire speed
as a consequence.

You don't appear to appreciate the appeal of having something cheap and
cheerful which can sit in the big bad world providing enterprise WPA
courtesy of inbuilt radius/1x support.

Something which can take of itself and provide tunnel endpoints at a price
point significantly cheaper than VPN concentrator.

>You seem to be asking me, and all of us, to believe that something is a
>quality firewall without any certification

A daft hair splitting non sequitur.

1st you claim that it couldn't possibly be a firewall without some form of
'certification'.

When I point out that Sun are shipping *and* supporting IPFilter on Solaris
9 and 10, you try and change tack from that ridiculous position to that of
'tested and inspected' (sic) by a reputable company.

Now you're back to certification nonsense again.

>- and I don't know many people
>that are willing to risk their business reputations on unproven solutions
>without independent confirmation.

Give it up already,

IPFilter has been securing networks globally for a decade.

OpenBSD by implication its packet filter have been the recipients of DARPA
funding.

The notion that either are 'unproven solutions' is laughable nonsense.

If you want to make a living selling ICSA 'certified' chocolate Fireguards
, by all means do so.

However that doesn't make them some how better as a solution for customers.

Security is a process *not* products.
 

greg

-- 
"Access to a waiting list is not access to health care"