lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1137580131.5210.59.camel@grag.oblog.local>
Date: Wed Jan 18 10:35:24 2006
From: juliao.duartenn at oblog.pt (Juliao Duartenn)
Subject: PC Firewall Choices

On Tue, 2006-01-17 at 23:33 -0500, greybrimstone@....com wrote:
> Thats assuming that malware isn't being designed for that firewall. I'm 
> sure you already know that software is software regardless of the 
> hardware that it is running on. Likewise a vulnerability is still a 
> vulnerability...
> 
> I suppose you could r/o the system... but you need to write the confs 
> somewhere right?
> 
> -Adriel
> 

Configuration on a hardware firewall is usually a pretty stable thing -
you don't go around opening ports at random every day, now do you?

Most modern {linux|bsd} firewall implementations can now run from a
read-only device, namely CD-ROM, and also write their configuration to a
removable device that you can manually set RW or RO - floppy, USB pen,
etc.

Of course, since most implementations mount parts of the filesystem into
RAM, you're still vulnerable to attacks, they are merely non-permanent,
if you reboot you are clean again, albeit with the original hole still
present, i'd say.

There are, of course, solutions for that too, but I still haven't seen
one that really works - meaning that it can detect and prevent tampering
in real-time. The best thing I can remember is running tripwire against
a RO database on CD, but that can still be tampered with. Any thoughts?

Juliao


> -----Original Message-----
> From: Valdis.Kletnieks@...edu
> To: Nick Hyatt <me@...t.org>
> Cc: full-disclosure@...ts.grok.org.uk
> Sent: Tue, 17 Jan 2006 21:08:39 -0500
> Subject: Re: [Full-disclosure] PC Firewall Choices
> 
>   On Tue, 17 Jan 2006 18:59:52 MST, Nick Hyatt said:
> > Given the choice between one of those selections and a standard 
> Linksys
> > router / firewall combo, wouldn't it be safer to go with the hardware
> > firewall? I find the configuration options to be quite a bit more 
> in-depth,
> > and the hardware firewall doesn't get itself as stuck in the system 
> as say,
> > ZA does.
> 
> Even more important, a hardware firewall can't be compromised as easily
> by malware that's on a host behind the firewall.  It's easy for a 
> program
> on a PC to tell ZA to look the other way.  It's a little harder for it 
> to
> tell a hardware firewall to look the other way.
> 
> Unless of course, the firewall implements the UPnP "Pants Down!" RPC.. 
> ;)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ