Re: how secure is a linux firewall?

>
> My $.02 is that you're better off with a standalone appliance than you
> are with a host based solution running with the O/S.
>
> Duane :)

I hear this all the time, but every 'standalone appliance' is a general
purpose computer running a O/S, typically a BSD 4 derivative. With a Linux
(or Free/Net/OpenBSD) solution, you can build a firewall with a generic 1U
server that almost certainly has higher performance hardware than a typical
commercial router. Installing the 'barebones' OS and the corresponding
packet filter (e.g. pf or IPTables) is simple. Writing the configuration
files is the most work, but that is true of any firewall.

My concern with many of the commercial systems is that they simply have not
had the same level of code review as the open source programs. This is
especially true of the OpenBSD project. It wasn't long ago that Cisco was
forced to admit that they had HARD CODED a password in some routers. This
is such a fundimental coding violation (e.g. you would loose points in
Programming 101) that it puts into question their entire code auditing
process. So, I would argue that the open source solutions are more secure
than the closed commercial solutions.

So, I guess I would say that a Linux firewall is fine, but
1) you need to know what you are doing (as you have discussed in detail)
2) a firewall should run on a dedicated computer so as to minimize the
attack tree (you can't exploit a bug in software that isn't installed)

If these conditions are acceptable, then I see nothing wrong with a linux
firewall.
Received on Mon May 1 00:51:06 2006