linux security - Oct 1998 - compare / contrast of linux fw and others

Hi,
I was wondering how a linux box configured as a firewall stacked up
against some of the commercial products like checkpoint-1 and gauntlet.
Can someone direct me to a good book or online doc that compares linux
to some other firewall methods?

Mind you, I''m not talking about a firewall in the classical sense, ie
ip forwarding turned off and used as a proxy, but the typical Linux box
with masquerading and ipfwadm rules, ipautofw, etc.  vs.  CheckPoint or
whatever.

What are the differences in features, security, control,
administration, etc.

[mod: Replies to Robert please. Robert, please summarize in a week -- REW]
-- 
Robert Bringman, Systems Engineer           mailto:rob@trion.com
TRION Technologies, Inc.                    http://www.trion.com

 To understand recursion, one must first understand recursion.

Opps, I guess it''s been more than a week... :/

Anyway, I only got a few responses, and the ones I got weren''t as
detailed and gory (ie technical) as I''d hoped. So I''ll
summarize in a
non technical way...

I am the Firewall-1 administrator where I work and it has a very nice
GUI tool for defining objects (can be hosts, networks, DNS domains,
groups of hosts, etc.) and a straightforward way of building a
rulebase.

At home I use the LRP with a mini-qmail daemon forwarding the e-mail
via  qmqp to the real mailhost,  and sshd for remote admin.  It has
ipautofw, ipportfw and masquerading.  

I really can''t think of anything I can do with the Firewall-1 machine
that I can''t do with this LRP machine.  The whole OS used to fit on a
floppy until I added the mini-qmail and sshd packages.  Now it boots
off a small HD and runs only on ramdisks.  Except for the GUI and the
price, I''d say they are about equal in terms of power and protection.

I''ve looked into TIS but never used it.  It involved running proxy
daemons on the firewall for telnet ftp and snmp.   I like the LRP much
better.

(for those that don''t know, LRP is the Linux Router Project.  see
http://www.linuxrouter.org )




On Tue, Oct 13, 1998 at 12:59:02PM -0400, Rob Bringman
wrote:
> Hi,
> I was wondering how a linux box configured as a firewall stacked up
> against some of the commercial products like checkpoint-1 and gauntlet.
> Can someone direct me to a good book or online doc that compares linux
> to some other firewall methods?
> 
> Mind you, I''m not talking about a firewall in the classical sense,
ie
> ip forwarding turned off and used as a proxy, but the typical Linux box
> with masquerading and ipfwadm rules, ipautofw, etc.  vs.  CheckPoint or
> whatever.
> 
> What are the differences in features, security, control,
> administration, etc.
> 
> [mod: Replies to Robert please. Robert, please summarize in a week -- REW]
> -- 
> Robert Bringman, Systems Engineer           mailto:rob@trion.com
> TRION Technologies, Inc.                    http://www.trion.com
> 
>  To understand recursion, one must first understand recursion.
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null
-- 
Robert Bringman, Systems Engineer           mailto:rob@trion.com
TRION Technologies, Inc.                    http://www.trion.com

 To understand recursion, one must first understand recursion.

> I am the Firewall-1 administrator where I work and it has a very nice
> GUI tool for defining objects (can be hosts, networks, DNS domains,
> groups of hosts, etc.) and a straightforward way of building a
> rulebase.
Doesn''t Firewall-1 do VPN? Virus scanning (optional), HTTP scanning
(virus/content optional) QoS.

Can you do VPN with your linux solution.  I love linux and have setup
several linux firewalls.  I have only played with firewall-1 for a bit and
the GUI is the only thing I can think of which makes it a better
''corporate'' solution.
> (for those that don''t know, LRP is the Linux Router Project.  see
> http://www.linuxrouter.org )
-- 
----------------------------------------------------------------------
Matthew S. Crocker 
Vice President / Internet Division         Email: matthew@crocker.com
Crocker Communications                     Phone: (413) 587-3350
PO BOX 710                                 Fax:   (413) 587-3352
Greenfield, MA 01302-0710                  http://www.crocker.com
----------------------------------------------------------------------

At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote:
> how about reporting? anything useful to please the eyes of the
> management people?
Depends on what you''re looking for.  Gross statistics on usage can be
collected with the IP accounting functions in the kernel.  You set up
rules with ipfwadm -A just like the other firewalling rules.

For more detailed reporting, we run the nacctd accounting daemon.  Look in
/system/network/management on your favorite sunsite mirror for the
net-acct package. One of my programmers wrote a small C program to take
the nacctd logs and produce a report of each workstation''s Internet
usage.
Here''s a snippet of the log from one machine we manage:

909664503 6 123.123.123.1   61386   205.139.170.48  80   2249 eth0 unknown
909664503 6 123.123.123.1   61386   205.139.170.48  80   2249 ets0 unknown
909664503 6 205.139.170.48  80      172.27.1.112    1045 36314 ets0 unknown
909664503 6 205.139.170.48  80      172.27.1.112    1045 36314 eth0 unknown

Fields are timestamp, protocol (tcp in this case), source addr, source
port, dest addr, dest port, traffic in bytes, interface, and username
(only for slip/ppp).

This is a transaction between a masqueraded host (172.27.1.112) and a
remote website via the masquerading gateway running nacctd (123.123.123.1,
obviously not its real address).  We throw out all the stuff on eth0 and
concentrate on ets0, which is a ET sync card that''s connected to the
Internet.  We also ignore the outbound packets from the gateway to the
remote site and just use the ones destined for the internal host.  Each
night we run a cron job to compile all this stuff into a report for
management that lists every site each workstation visited that day and its
total traffic by type of service.

Pretty nosy, but part of being a consultant is being a hired gun!

Peter


-----

Peter H. Lemieux				Voice:	(800) 5-CYWAYS	
CYWAYS, Incorporated					(+1 617 796 8995)
19 Westchester Road				Fax:	(617) 796-8997
Newton, Massachusetts 02458-2519 USA		Web:    http://www.cyways.com

> At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote:
>
> > how about reporting? anything useful to please the eyes of the
> > management people?
	I think a perfect trio is made from ipfwadm as firewall (soon ipchains) + bash
shell as a primary trimmer for the data reported by ipfwadm + mrtg as a HTML
report generator (http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html).
	You can do almost whatever you want with these tools; knowing shell programming
is not such a hard task, and a little HTML programming "to please the
management
people" you can do in as little as 30 minutes.

	That''s our way, and we''re quite happy with it.

				Florin Andrei
				Communications Manager @ Expert S.R.L.
				Romania

[mod: Edited for brevity.... --REW]

At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote:
> how about reporting? anything useful to please the eyes of the
> management people?

I have a homenet connected via Linux to the Internet. Kids (mine and
the neighbors) and use our 3 machines to surf the web routinely. The tools
I use are ipfwadm and Squid.  Squid is a proxy server that, as a
by-product creates detailed logs.
Below is an example of a squid log entry.  If this is too detailed, there
are perl scripts that will roll this into higher level reports that look
much like Firewall 1''s logs.

910227477.177    645 192.168.1.2 TCP_MISS/302 332 GET
http://mail.yahoo.com/py/ymGo.py - DIRECT/mail.yahoo.com text/html