Hi, I was wondering how a linux box configured as a firewall stacked up against some of the commercial products like checkpoint-1 and gauntlet. Can someone direct me to a good book or online doc that compares linux to some other firewall methods? Mind you, I''m not talking about a firewall in the classical sense, ie ip forwarding turned off and used as a proxy, but the typical Linux box with masquerading and ipfwadm rules, ipautofw, etc. vs. CheckPoint or whatever. What are the differences in features, security, control, administration, etc. [mod: Replies to Robert please. Robert, please summarize in a week -- REW] -- Robert Bringman, Systems Engineer mailto:rob@trion.com TRION Technologies, Inc. http://www.trion.com To understand recursion, one must first understand recursion.
Rob Bringman
1998-Oct-27 21:38 UTC
[linux-security] Re: compare / contrast of linux fw and others
Opps, I guess it''s been more than a week... :/ Anyway, I only got a few responses, and the ones I got weren''t as detailed and gory (ie technical) as I''d hoped. So I''ll summarize in a non technical way... I am the Firewall-1 administrator where I work and it has a very nice GUI tool for defining objects (can be hosts, networks, DNS domains, groups of hosts, etc.) and a straightforward way of building a rulebase. At home I use the LRP with a mini-qmail daemon forwarding the e-mail via qmqp to the real mailhost, and sshd for remote admin. It has ipautofw, ipportfw and masquerading. I really can''t think of anything I can do with the Firewall-1 machine that I can''t do with this LRP machine. The whole OS used to fit on a floppy until I added the mini-qmail and sshd packages. Now it boots off a small HD and runs only on ramdisks. Except for the GUI and the price, I''d say they are about equal in terms of power and protection. I''ve looked into TIS but never used it. It involved running proxy daemons on the firewall for telnet ftp and snmp. I like the LRP much better. (for those that don''t know, LRP is the Linux Router Project. see http://www.linuxrouter.org ) On Tue, Oct 13, 1998 at 12:59:02PM -0400, Rob Bringman wrote:> Hi, > I was wondering how a linux box configured as a firewall stacked up > against some of the commercial products like checkpoint-1 and gauntlet. > Can someone direct me to a good book or online doc that compares linux > to some other firewall methods? > > Mind you, I''m not talking about a firewall in the classical sense, ie > ip forwarding turned off and used as a proxy, but the typical Linux box > with masquerading and ipfwadm rules, ipautofw, etc. vs. CheckPoint or > whatever. > > What are the differences in features, security, control, > administration, etc. > > [mod: Replies to Robert please. Robert, please summarize in a week -- REW] > -- > Robert Bringman, Systems Engineer mailto:rob@trion.com > TRION Technologies, Inc. http://www.trion.com > > To understand recursion, one must first understand recursion. > > -- > ---------------------------------------------------------------------- > Please refer to the information about this list as well as general > information about Linux security at http://www.aoy.com/Linux/Security. > ---------------------------------------------------------------------- > > To unsubscribe: > mail -s unsubscribe linux-security-request@redhat.com < /dev/null-- Robert Bringman, Systems Engineer mailto:rob@trion.com TRION Technologies, Inc. http://www.trion.com To understand recursion, one must first understand recursion.
Matthew S. Crocker
1998-Oct-28 13:05 UTC
[linux-security] Re: compare / contrast of linux fw and others
> I am the Firewall-1 administrator where I work and it has a very nice > GUI tool for defining objects (can be hosts, networks, DNS domains, > groups of hosts, etc.) and a straightforward way of building a > rulebase.Doesn''t Firewall-1 do VPN? Virus scanning (optional), HTTP scanning (virus/content optional) QoS. Can you do VPN with your linux solution. I love linux and have setup several linux firewalls. I have only played with firewall-1 for a bit and the GUI is the only thing I can think of which makes it a better ''corporate'' solution.> (for those that don''t know, LRP is the Linux Router Project. see > http://www.linuxrouter.org )-- ---------------------------------------------------------------------- Matthew S. Crocker Vice President / Internet Division Email: matthew@crocker.com Crocker Communications Phone: (413) 587-3350 PO BOX 710 Fax: (413) 587-3352 Greenfield, MA 01302-0710 http://www.crocker.com ----------------------------------------------------------------------
At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote:> how about reporting? anything useful to please the eyes of the > management people?Depends on what you''re looking for. Gross statistics on usage can be collected with the IP accounting functions in the kernel. You set up rules with ipfwadm -A just like the other firewalling rules. For more detailed reporting, we run the nacctd accounting daemon. Look in /system/network/management on your favorite sunsite mirror for the net-acct package. One of my programmers wrote a small C program to take the nacctd logs and produce a report of each workstation''s Internet usage. Here''s a snippet of the log from one machine we manage: 909664503 6 123.123.123.1 61386 205.139.170.48 80 2249 eth0 unknown 909664503 6 123.123.123.1 61386 205.139.170.48 80 2249 ets0 unknown 909664503 6 205.139.170.48 80 172.27.1.112 1045 36314 ets0 unknown 909664503 6 205.139.170.48 80 172.27.1.112 1045 36314 eth0 unknown Fields are timestamp, protocol (tcp in this case), source addr, source port, dest addr, dest port, traffic in bytes, interface, and username (only for slip/ppp). This is a transaction between a masqueraded host (172.27.1.112) and a remote website via the masquerading gateway running nacctd (123.123.123.1, obviously not its real address). We throw out all the stuff on eth0 and concentrate on ets0, which is a ET sync card that''s connected to the Internet. We also ignore the outbound packets from the gateway to the remote site and just use the ones destined for the internal host. Each night we run a cron job to compile all this stuff into a report for management that lists every site each workstation visited that day and its total traffic by type of service. Pretty nosy, but part of being a consultant is being a hired gun! Peter ----- Peter H. Lemieux Voice: (800) 5-CYWAYS CYWAYS, Incorporated (+1 617 796 8995) 19 Westchester Road Fax: (617) 796-8997 Newton, Massachusetts 02458-2519 USA Web: http://www.cyways.com
Florin Andrei
1998-Nov-04 07:19 UTC
[linux-security] Re: compare / contrast of linux fw and others
> At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote: > > > how about reporting? anything useful to please the eyes of the > > management people?I think a perfect trio is made from ipfwadm as firewall (soon ipchains) + bash shell as a primary trimmer for the data reported by ipfwadm + mrtg as a HTML report generator (http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html). You can do almost whatever you want with these tools; knowing shell programming is not such a hard task, and a little HTML programming "to please the management people" you can do in as little as 30 minutes. That''s our way, and we''re quite happy with it. Florin Andrei Communications Manager @ Expert S.R.L. Romania
Bobby Boone
1998-Nov-04 18:09 UTC
[linux-security] Re: compare / contrast of linux fw and others
[mod: Edited for brevity.... --REW] At 08:05 AM 10/28/98 -0500, Chan Kar Heng wrote:> how about reporting? anything useful to please the eyes of the > management people?I have a homenet connected via Linux to the Internet. Kids (mine and the neighbors) and use our 3 machines to surf the web routinely. The tools I use are ipfwadm and Squid. Squid is a proxy server that, as a by-product creates detailed logs. Below is an example of a squid log entry. If this is too detailed, there are perl scripts that will roll this into higher level reports that look much like Firewall 1''s logs. 910227477.177 645 192.168.1.2 TCP_MISS/302 332 GET http://mail.yahoo.com/py/ymGo.py - DIRECT/mail.yahoo.com text/html