Educause Security Discussion mailing list archives

Re: PIX/AS Vs. Linux/IPtables

From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 30 Sep 2009 12:04:07 -0400

I was referring to the scenario where the target host is compromised, and am presuming the separate-layer filtering 
host is still intact.  Of course if both get compromised, game over.   With a separate layer two separate compromises 
would be needed to alter the filter.  My answer presumed that only the target was compromised.  If the filters are 
within it, then the filters are comp'd too.  If they're separate, you've made the attack harder.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of HALL, 
NATHANIEL D.
Sent: Wednesday, September 30, 2009 11:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PIX/AS Vs. Linux/IPtables

I would disagree with your statements.  PIX/ASA devices still have an OS so they could be compromised just like a 
Netfilter host.  If the Netfilter firewall is standalone, just as the PIX/ASA, then you could easily secure it.

As for mistakes being made by the admin, that can happen with any system.  It is not limited to Netfilter.  It all 
depends on how you configure it.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary 
Dobbins
Sent: Wednesday, September 30, 2009 5:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] PIX/AS Vs. Linux/IPtables

Not offhand, but I can offer this advantage over iptables (presuming you mean in-host filtration, versus using Linux as 
a standalone external filter system):  The ASA being separate reduces the chances of a mistake by a sysadmin in 
adjusting the filter, or a compromised machine being able to adjust its own filter rules.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of ron 
behrang
Sent: Tuesday, September 29, 2009 10:38 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] PIX/AS Vs. Linux/IPtables

Hello,

Does anyone know of a good paper on the merits of using PIX/ASA
instead using Linux/iptables?

Thanks
Ron

Current thread:

PIX/AS Vs. Linux/IPtables ron behrang (Sep 29)
- <Possible follow-ups>
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables HALL, NATHANIEL D. (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Justin Azoff (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Joe Vieira (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables Gary Dobbins (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables John Ladwig (Sep 30)
- Re: PIX/AS Vs. Linux/IPtables David Gillett (Sep 30)