linux gateway and router = redundant?

ME dugan at passwall.com
Fri Mar 15 16:43:16 PST 2002


On Fri, 15 Mar 2002, augie wrote:
> Andrew wrote:
> > Many people would say Linux provides better firewalling than
> > low-end routers.
> 
> i'll buy that but got any examples? would other people agree with this 
> statement?

LinkSys for one:

One of their router product had SNMP exposed for configs (dont know if
this was ever fixed.)

My Linksys Wireless Accesspoint+router+switch can be DoS-ed byt running a
few network based security sweeps looking for security holes. While
firware updates have helped make it more stable, I am happier with linux
doing the work.

LinkSys products (wireless) found to be susceptible to ARP cache poisoning
to a simpler degree than other switches and make MiM attacks easier. (Did
not recall if this was all wireless products, but LinkSys was mentioned.)

Please do not think that this is just picking on LinkSys, as announcements
have come out for other low end products. I only remember some of the ones
that would impact me. If I had another product, you would likely see me
with lists of equally bad problems provided. I like my LinkSys but know
its limits accept its faults much like any other magic box.

Plusses with linux:
When a network based security hole is found, it is often fixed *very fast*
Highly configurable:
 (network layer redirection? You can do that!)
 (IPSEC)
 (application layer redirection)
 (No corp imposed limits on how many redirs)
 (Better support for Masquerading with specialized protocols (quake etc))
 (granular control of options with what ICMP you want to speak)
 (More reliable (better uptime as many low end units are susceptible to
  EMI and other distortion caused by being to close to other RF/power
  noise)
 (*REAL* logging - a major part of security: how do you know if something
  bad is happeneing and where it is coming from? Many low end products
  will log to OTHER devices, but hte x86 box had a HD and can do it
  anyway, so why not leave them together and add yet another logging
  server for duplicate logs if you really want them?)
 (Proxy host configuration for speedup with web content)
 (Special rules/lists for avoiding web spam junk)
 (etc...)

Linux Disadvantages:
 (Dedicated host required, or if shared host, then reboot brings down net)
 (More knowledge - but could argue makes you more sophisticated/informed)
 (More initial setup/work)

The above lists are far from complete, but give some ideas.

I choose to go with Linux for my firewall rules/filtering/routing since
I can do just about anything and do not have to rely upon an unknown magic
black box with code that is "who knows" how stable/reliable against
unknown attacks/queries. (No peer level code review like with Open Source)

Why do the low end products suck so much? They are cheap. A company will
cut costs where they can, and low memory in firmware leads to small
firmware footprints which often requires shortcuts with implementing the
TCP/IP suite of protocols and make them "fit".

Why can linux be so much better? That is obvious, but beyond the obvious,
a more widely used implementation of a TCP/IP suite that has been
available for peer review and security audits is easier to accept that an
unknown mystery box - perhaps not so obvious to others.

Others? Default password and company backdoors that seem to continue to
be found in "black box products" without peer level/open review or
audits.

You want other opinions, check out google and you'll find others who echo
me, or find cases where I echo other users. ;-)

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
     Systems Department Operating Systems Analyst for the SSU Library



More information about the talk mailing list