[KLUG Members] Re:Broadband firewalls.

[Jamie McCarthy]

b.j.smith@ieee.org (Bryan J. Smith) writes:

> Quoting Jamie McCarthy <jamie@mccarthy.vg>:
> > So far I'm quite happy with it.  Configuration was easy, much
> > easier than either OpenBSD or the Airport Base Station, and
> > I'm confident about security.
> 
> Ease of configuration is usually not a good indicator of level
> of security.  I usually find the two inversely proportional.

True -- though it's a weaker and weaker correlation in recent years,
I think.  Certainly there's no inherent necessity that bad UI design
and good security design need to travel together!

> Cheap, stateless firewall appliances usually suck badly when
> compared to a stateful Linux 2.4 firewall.

For my needs, it doesn't matter.  I don't have a DMZ, I'm not
running any servers that are visible to the outside.  Nothing gets
onto my home network except in response to connections I initiate.

My only concern is that there will be discovered denial-of-service
or compromise attacks on the hardware.  And I am more confident
that my current setup is secure than the OpenBSD box before.

Which may seem odd to say.  OpenBSD is considered the gold standard
for security in PC-hardware unix operating systems.  Why does this
single-purpose closed box inspire more confidence in me?

Because OpenBSD is also fairly complex.  In the two or three years I
had it running, my version (2.8) got left behind.  Instructions for
keeping up with the latest patches were not terribly clear and
sometimes contradictory.  When the big ssh/ssl attack came out
(earlier this year I think), I applied what I believed to be a
preventative patch, by hand, and recompiled and reinstalled by hand.
Then the official patch was released but I couldn't figure out what
I was doing wrong because it obviously didn't apply to my system.
Then I think the official patch for my version came out later but I
had already screwed things up.

I was probably totally secure all that time, the most important
thing would have been properly configuring sshd and my openssl
daemons to only respond on the LAN NIC, not the internet NIC.
But I just wasn't sure I was applying patches properly and that's
when people get into trouble.

Now I just watch bugtraq.  If something about any NetGear product
comes over the wire, I'll notice. and I'll update the firmware.
Searching for past problems with similar NetGear products turns up
a workaround for its censorware (which I don't use) and a note
about how passwords appear in plaintext if you dump the firmware
to disk (and I would always treat those backups securely anyway,
there's other sensitive info besides passwords).  So the track
record looks pretty good and I think I'll be fine.

The big win is that there's no hard drive on this box and there
are no rootkits for it.