Security Basics mailing list archives
RE: IPTables Based Firewall Testing
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 17 Dec 2003 14:56:31 -0800
Really an IPTables/Netfilter equipped *NIX box is not really the best solution for any really concerned about security. Fw on OpenBSD still runs a better, more controllable firewall but Netfilter is catching up. Comparing a IPTables/Netfilter firewall box against say a Checkpoint (Nokia IPSO), Cisco PIX or even a SonicWall or Watchguard box there is no comparison. Firewall appliances usually run an extremely tightened version of NetBSD or another early BSD (like) system. Unlike *NIX which can have many software packages installed with multiple vulnerabilities. Appliances are extremely optimized to suite their task and provide smooth operations for that task while a general OS has to think of everything it *may* run. We run a Checkpoint Firewall on the Nokia IPSO (IP330) and its rock solid and extremely secure. But when you pay $80,000 bucks for a firewall you better be getting your moneys worth. Am I saying that IPTables is bad, nope. I run it on all my DMZ hosts to protect them from 'behind-the-firewall' traffic. I personally use IPTables on a Debian box at home as my firewall. But if I'm protecting a LAN with sensitive information behind it, a *NIX box with IPtables is farthest from my mind. Note: CC'ed to sec-basic list due to relevancy. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: bob richie [mailto:bobr () rentech net] Sent: Wednesday, December 17, 2003 2:43 PM To: Shawn Jackson Subject: RE: IPTables Based Firewall Testing Shawn, We have a great failover solution for IPTables. You sound like you use this quite a bit. How do you feel it compares to Checkpoint? We are looking at running it on BladeFusion for our customers or use SmoothWall. Bob Richie 615-254-8324 www.rentech.net Helping YOU do more on the WEB! This electronic message transmission contains information from Renaissance Application Facility which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. -----Original Message----- From: Shawn Jackson [mailto:sjackson () horizonusa com] Sent: Tuesday, December 16, 2003 4:25 PM To: Gareth Darby; security-basics () securityfocus com Subject: RE: IPTables Based Firewall Testing I'd run Nessus against it to see if you get anything. Run it against the external and internal interfaces and that should give you a pretty good idea of your security outlook. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Gareth Darby [mailto:gdarby () aztech-communications co uk] Sent: Tuesday, December 16, 2003 8:02 AM To: security-basics () securityfocus com Subject: IPTables Based Firewall Testing Hi, I was wondering what kind of processes would be involved in testing a firewall built around IPtables. How could you ensure that the rules are sufficient? Is a simple port scan enough? Gareth ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- IPTables Based Firewall Testing Gareth Darby (Dec 16)
- <Possible follow-ups>
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 16)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- Re: IPTables Based Firewall Testing Christos Gioran (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 18)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing larsmith (Dec 19)
- RE: IPTables Based Firewall Testing Steve Bremer (Dec 18)
- RE: IPTables Based Firewall Testing Shawn Jackson (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps - url Alvin Oga (Dec 19)
- Re: IPTables Based Firewall Testing - apps Alvin Oga (Dec 19)