Re: [SLUG] Cleaning house

From: Steve (steve@szmidt.org)
Date: Wed Aug 20 2003 - 15:21:11 EDT


On Wednesday 20 August 2003 06:14 am, you wrote:
> are you talking a custom built firewall or a packaged 1 floppy based
> system like ClosedBSD (http://www.closedbsd.org/)?

Actually a totally standard built packet filter firewall with NAT. I think I
already said an OpenBSD firewall in my email...

> i really like BSD and especially OpenBSD (and ClosedBSD) but i found a
> better 1 floppy firewall solution with FREESCO (http://www.freesco.org/).

Did you just say FREESCO is better than OpenBSD? Hehe.

The one thing that is easier with Freesco is it's probably a bit easier to
manage smaller tasks.

OpenBSD takes some 20 minutes to read up on and configure. About 10-15
minutes to install. Figure an hour if you're new to it. Hell, figure two or
three hours. In the end you are going to have a state of the art firewall
that had one remote hole in over seven years. It was fixed within days.
FREESCO had their current one for a few years.

I'm not going to try to convince you to use either. But know this, if you
don't know how to hack a remote system, or at least have some incling on
how it's done, what vulnerabilities they use - You don't know what makes
one firewall a worthwhile firewall. It's not a scene where A=A=A.

FREESCO uses a 2.0 Linux kernel which will never have anything to hold over
a BSD kernel. OpenBSD audits every line for vulnerabilities. They are
implementing changes that makes it impossible to execute code that a hacker
would insert into RAM to take control over the box.

FREESCO is to OpenBSD as a Humvee is to an Abrahms tank. Both have some
armor but...

Now I used FREESCO for a year or two before I learned more about security
and OpenBSD. It's not a bad tool as they go. Easy to install and use.

However, no firewall, including OpenBSD, is the end to it all. Security is a
multifaced subject. There needs to be layers of defense. Just look at port
80. You open it so that you can browse. But your browser does not know much
about what it brings back. It can contain code and often do.

You like to be able to execute most of this code because it makes the web
pages come alive with all sorts of java, perl, asp and other types of
scripts. But they can also contain destructive or open a backdoor type of
instructions. Your firewall does not know the difference, nor does your
browser. Certainly not your O/S. The point being you put a hole in the
firewall to let web pages in, and now you could be hacked. You may never
even find out.

Maybe the hacker just leaves some hacking tools there for later use. You can
hide data on a drive that your OS cannot read. A drive does not utilize a
disk 100%. It has lost space in it. Though most hackers simply make them
hidden system files and give them some names that you are hard to tell
apart from other system files.

Maybe you already know all this then good for you. I run into too often
people that think just because they put a lock in their door nobody could
enter the building, so to speak. Then they come and say "But I had a
firewall...

Ultimately you need to educate every user to recognize that something
different is going on. You need to have access to access logs that can tell
you what happend, and worst of all you need to monitor them daily. Security
mostly sucks as it has nothing to do with production, and is a pain to
monitor. At least they don't send us bombs that kill the users...

Ha, a good ramble there... : )

> thor
>
> ----- Original Message -----
> From: "Steve" <steve@szmidt.org>
> To: <slug@nks.net>
> Sent: Tuesday, August 19, 2003 23:43
> Subject: Re: [SLUG] Cleaning house
>
> > On Tuesday 19 August 2003 09:49 pm, you wrote:
> > > For a limited time only, you can have any or all of the following for
> > > free:
> > >
> > > * P166, 64MB SDRAM, 4MB video card, 2G HD, 100Mb NIC
> >
> > Using OpenBSD I could turn that into a killer firewall for someone...
> > Just add one more NIC and I'll build it for you.
> >
> > (Only one catch - I'm in doiwntown Clw area.)
> >
> >
> > --
> >
> > Steve
> > ______________________________________
> > This sig is pending approval
> > -----------------------------------------------------------------------
> > This list is provided as an unmoderated internet service by Networked
> > Knowledge Systems (NKS). Views and opinions expressed in messages
> > posted are those of the author and do not necessarily reflect the
> > official policy or position of NKS or any of its employees.
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.

-- 

Steve ______________________________________ This sig is pending approval ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:53:29 EDT