Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] TIS FWTK
  • From: Peter van den Heuvel <peter@xxxxxxxxxxxxxxxx>
  • Date: Sat, 09 Dec 2000 11:20:19 +0100
  • Message-id: <3A320763.F0661E72@xxxxxxxxxxxxxxxx>
Hi,

-- snip -- snip --
> > If you are going to take the time to use the built in firewalling code
> > in linux why would use use a frontend to the program to modify the
> > rules? Ipchains is *easy* to use.
> Yes, but TIS FWTK (and its commercial successor Gauntlet) and Linux
> IPFWADM/IPCHAINS/NetFilter are fundamentally different things:

Scary how a large part of the suse security list seems to be in charge
of organization security without being able to see the fundamental
difference between packet filtering and proxying; even after clear
explanation.

Another silly issue on this list was the tamper-ability of MD5 hash
values (nothing wrong with the question as such though) and it's
required replacement for intrusion detection. Until finally somebody
pointed out where the real vulnerabilty was: just forge the report. I
was just wondering why the focus of this list is so much on "code" and
so little on how to use it for a specific organization. Most unix hosts
that have a reasonable administrator are most likely more secure against
DOS than the telco. router that connects them to the WEB. Most sucurity
incidents are from within organizations. Most logs are never looked at
and incidents seldom reported. A short and simple password is still
better than one under the keyboard. Locking the car is little use if you
leave the camera in plain sight :)

Also there's nothing wrong in discussing interface add-ons for ipchans
etc. But sometimes the discussion misses that such things can only
improve your understanding or help you use your time efficiently. They
inherently do nothing else to improve security. I personally prefer
tools that help visualize the result of complex configurations and logs
instead of separating me from the real issue at hand.

Generally speaking, there is a shortcoming to easy to use systems. They
inherently hide some of the complexity you actually should be facing.
Also simple external interface (or extreme flexibilty requirements)
usually imply high internal complexity. And that of course provides more
places where things could fail. If you want security, go for simplicity.
And yes the FWTK is lovely simple (winthin it's context).

One final remark. Moderation is a good thing, but please don't just do
it to ban things. A simple classification with some tags like [basic]
[home networks] [small organization] [large organization] [theory]
[usage] or something like it would be of much more added value. With
that I can play with some easy questions if I'm realy bored and tired :)
Oh, I do consider a question of somebody who want's to protect
'pictures' reasonable.

Peter

< Previous Next >
References