Should You Fire Your Firewall?

Gsurface writes "A lengthy article over at Flexbeta.net focuses on firewall applications and how well they perform as far as securing your system. Four typical firewall applications were tested including two routers, one being the Cisco 831 SOHO, which performed rather well. In total, nine security test were conducted to measure how well each firewall performed."

I don't appreciate the hardware very much...

[MrNerdHair]

Very interesting, although I'ven never been much for hardware firewalls. I grab an old machine, load it up with Slackware 9.1, and custom-configure the netfilter/iptables rules. I's a lot more versitile, and it's not just a firewall. It can be expanded to run every server known to man, such as ssh for remote control, or FreeS/WAN, for VPN.

Re:I don't appreciate the hardware very much...

[nocomment]

Same here. Most of my company firewalls are running OpenBSD with PF. There's 1 linux box that is getting replaced very soon. Typical setup is 4 or 5 nics, multiple NAT's yadda yadda. plus now that OpenBSD is giong to have CARP in 3.5, you will have an auto-failover with a maintained state to another machine. This plus transparent squid caching, allows us to have about 100 users per T-1 with no complaints.

Re:I don't appreciate the hardware very much...

[Creepy+Crawler]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

With your example, once that nice PCI bus gets saturated... Game Over. Too bad they dont make a 1 GBps card for the AGP slot

Re:I don't appreciate the hardware very much...

[Micro$will]

Actually most home cable/DSL routers run a small embedded Linux distro, though I've found most are less robust than my old Pentium. My friend has to restart his Linksys almost daily, while my machine (Red Hat 8.0 minimal install) has 200+ days uptime. I've never tested the Linksys, but my setup gets a thumbs up from Shields Up.

Re:I don't appreciate the hardware very much...

[nocomment]

Hardware firewalls are not meant for exquisite filtering or heavy duty VPN. What does make firewalls nice is that they have multiple ports (hence a router) and have a FULL bandwidth between any 2 channels.

I agree with you, to a point. For a medium sized network like mine, where there are _no_ hubs except for the one at the firewall (so the snort box can listen) the switches will take care of keeping the bandwidth that the firewall actually hears to a minimum. The PCI bus can handle 127-ish MB/s nad 64 bit PCI can handle 508-ish. So unless you have a really high traffic system[1] this setup is not even noticable between a Cisco, or other heavy duty router.

[1] I have a really high traffic FTP server on my DMZ that is accessed a lot from systems on one of my NAT's and from the internet. What I did was move this system (OBSD) in _front_ of the firewall, enable PF on the FTP server to firewall it. Then I added a 2nd NIC to the FTP server so it plugs directly into the LAN. This makes sure that almost _no_ traffic from that system actaully hits the firewall. If I didn't do this, the PCI bus, like you say, would slow things to a crawl.

Crap

[Old+Uncle+Bill]

Any review of security/firewalls using Gibson's crappy analysis tools is beyond flawed. I would take all of this review with a grain or two of salt.

The Shields Up! Test

[Radical+Rad]

The D-Link router failed to stealth one port whiles the bare system shows how vulnerable we can be without a firewall.

But the port it shows as closed is 113 which is sometimes needed to authenticate to ftp or web sites. The authors of the review are assuming that the best firewall stealths absolutely everything. But if a product completely protects your system why wouldn't that be good enough? Same for ZoneAlarm4 not stealthing several ports under Advanced Port Scanning.

I like the way they bring up outbound filtering though. Most "personal" firewalls don't do anything with this.

Re:The Shields Up! Test

[Micro$will]

Don't a large number of ISPs have upstream firewalls anyway? I'm on Comcast, and I'm pretty sure that there is a firewall upstream.

A lot of ISPs block certain ports, but which ones? Where are they blocked? Are they blocked all the time, or only during peak hours? You may be safe from a Shields Up scan, but are you safe from the 3|337 hax0r down the street?

Trusting my ISP to keep my computer secure is like trusting public transportation to be on time. If I *must* be somewhere at a certain time, I'd rather leave a little early or drive just in case.

Re:The Shields Up! Test

[orthogonal]

For reference port 113 is the 'ident' identification protocol.

For reference, it's used by sendmail.

Before learning this firewall users who read their logs (me!) will have a paranoia induced moment or two when they notice their host/ISP apparently scanning their ports, and will be even more bemused when they notice the scanning follows a regular period matching the period of their email client's polling.

Fun stuff!

YRO?

[winsk]

Does this really belong in the Your Rights Online section?

Re:asdfas

[Ayanami+Rei]

Leak:
1) Hardware firewalls _rarely_ block outbound traffic, so they implictly allow out (since they can't predict what you'll need).
2) Internal software firewalls work by intercepting a request to send a packet if it matches a rule. If the rogue software actively looks for a way to bypass the filter (by talking directly to the network card itself and bypassing the operating system), then there is nothing that can stop it.

Hence the all fail the leak test. That's to be expected. In general you cannot expect to be connected to the internet at all and NOT be _somewhat_ vulnerable about information being transmitted without your knowledge.

Browser test:
You're right. Firewalls shouldn't double as a content/URL filter. That's the job of an "application proxy". Many firewall vendors are functioning as both... which is fine for a consumer who doesn't know the difference.

However, this is partially due to the fact that windows has this API called "NDIS".
Firewalls are implemented by placing filters in the NDIS chain that check for incoming/outgoing IP addresses and stuff, and can process them. But the NDIS chain also allows you to intercept URLs and how they are parsed, control DNS lookup, and more. (This is a Windows-specific feature). So most firewall developers naturally decided to add URL/content filtering because it was an easy step from IP filtering, since they were using the same programming interfaces.
It wasn't rocket science... it was right there in the programming manuals next to the other stuff. :-)

Port scan:

By default, ZoneAlarm is configured to allow ports 135-139 in (but ONLY for the "Local Zone", if they bothered to check) so you can use Windows File Sharing between computers. It's easily turned off making the computer invisible to everyone just like the rest of them.

ZoneAlarm wanted to be friendlier to people who wanted to share files or printers inside their house.

TooLeaky test is BS

[VarmintCong]

I decided to try some of these tests myself. When testing using TooLeaky, I got a notification that it sent the information to GRC.com and recieved information from GRC.com, even when I disabled my internet connection.

Sounds like BS to me.

'personal' firewalls...and why you want one

[Frennzy]

In general, you should always use a dedicated device to filter incoming packets. Consider it 'first line' defense.

Where things like ZoneAlarm and Kerio make a difference is that they filter outbound connections. Of particular note is that, if the user pays attention and doesn't randomly approve everything the software shows them, then a firewall application can not only block specific outbound ports, but it can maintain specific application+port rules. That way, rogue malware can't hijack commonly used ports, such as port 80. It also would prevent worms/viruses that use their own SMTP engine.

Data security should always be a layered approach. Take care of different threats with different (appropriate) defenses.

"An In-depth Look at SMALL SYSTEM Firewalls"

[Futurepower(R)]

This is just one more case where an excellent area of inquiry is ruined by the wording of a Slashdot article, and by people trying to show how much they know without saying anything that could actually be used by someone else.

The article at Flexbeta should not be worded, "An In-depth Look at Firewalls", it should be "An In-depth Look at Small System Firewalls". Most single computers or small LANs have no servers.

The parent post is considering an important issue for systems of 100 users. Systems that large are far out of the scope of the Flexbeta article.

We need two Slashdot articles on firewalls, one for small systems, and one for more complex LANS.

The Flexbeta article considered only Linksys (now owned by Cisco) and D-Link small system hardware firewalls. It did not consider Airlink Plus and Netgear.

I got burned with poor technical support from Cisco. Also, Cisco stopped supporting its 675 router. I don't want to be involved with Cisco again, so Linksys is out, especially because of the confused Linksys web site. Cisco has an enormous conflict of interest. If Linksys sells good firewalls, it will mean Cisco sells fewer.

So, which is the better hardware firewall, D-Link DI-604, or the Netgear RP614?