Educause Security Discussion mailing list archives
Re: PIX/AS Vs. Linux/IPtables
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 30 Sep 2009 12:04:07 -0400
I was referring to the scenario where the target host is compromised, and am presuming the separate-layer filtering host is still intact. Of course if both get compromised, game over. With a separate layer two separate compromises would be needed to alter the filter. My answer presumed that only the target was compromised. If the filters are within it, then the filters are comp'd too. If they're separate, you've made the attack harder. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of HALL, NATHANIEL D. Sent: Wednesday, September 30, 2009 11:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PIX/AS Vs. Linux/IPtables I would disagree with your statements. PIX/ASA devices still have an OS so they could be compromised just like a Netfilter host. If the Netfilter firewall is standalone, just as the PIX/ASA, then you could easily secure it. As for mistakes being made by the admin, that can happen with any system. It is not limited to Netfilter. It all depends on how you configure it. -- Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA Network Security System Administrator OTC Computer Networking From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, September 30, 2009 5:42 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PIX/AS Vs. Linux/IPtables Not offhand, but I can offer this advantage over iptables (presuming you mean in-host filtration, versus using Linux as a standalone external filter system): The ASA being separate reduces the chances of a mistake by a sysadmin in adjusting the filter, or a compromised machine being able to adjust its own filter rules. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of ron behrang Sent: Tuesday, September 29, 2009 10:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PIX/AS Vs. Linux/IPtables Hello, Does anyone know of a good paper on the merits of using PIX/ASA instead using Linux/iptables? Thanks Ron
Current thread:
- PIX/AS Vs. Linux/IPtables ron behrang (Sep 29)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables HALL, NATHANIEL D. (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Justin Azoff (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Joe Vieira (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables John Ladwig (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables David Gillett (Sep 30)