[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Suggestions
 Date:  Wed, 7 Apr 2004 13:24:43 -0400
> ---
> I hate to say it... but PHP in itself shouts insecurity. Every white/gray hat
> i've spoken to has said they would not use m0n0wall because it has PHP on it.

I've written 3 responses to this email so far due to my own reaction to
this statement, and thrown all three away as being too inflammatory.  So
now, I'm trying to address just this one issue without getting angry.

In my opinion, this is a fallacious argument.  Before anyone gets upset,
let me explain.

PHP's use in m0n0wall is simply for the management of the master
configuration file, and for the conversion of the master configuration
file into config files for all the existing utilities.  PHP isn't doing
packet filtering.  PHP isn't doing packet shaping.  PHP isn't doing
the DHCP serving.  PHP isn't analyzing the raw traffic.  PHP never even
sees the network traffic (except the http/https traffic on the LAN to
the management web server).

The web server is by default only enabled on the LAN.  In a home or SOHO
environment, the LAN is mostly trusted.  Granted, in a larger
environment, that isn't the same.

Anyone that would want m0n0wall to be more secure (ie, don't trust the
LAN users) can easily set it up to have the LAN interface really be an
administration interface with restricted physical access to that network,
and use another interface for the less trusted traffic.

Any good security admin will realize this, and will plan accordingly.
Out of the box, m0n0wall is far better than many other products out there
as far as being secure and having a good set of default behaviors.  In
most cases, m0n0wall's defaults are "good enough".

If someone can get to the administrative interface port, it isn't
that different from them having physical access to the device itself.
Once someone has access to the management interface port, they can do all
sorts of malicious things to attempt to break in.  Being done in PHP or
shell or perl or C or C++ or <insert favorite language of the day here>
won't change that fact.  All languages can have well written and secure
code or poorly written and very insecure code.

As security is all about layers, simply prevent the malicious people from
getting to the layer you don't trust, and things should be OK.  Granted,
it isn't quite *that* simple, but you get the idea.

Personally, I've heard people go "freebsd?  no, I don't want to learn
another OS" when I've talked about m0n0wall.  I usually shrug and leave
them alone.  Someone that isn't willing to give something a fair trial
isn't worth me wasting my time on.

I'm a long time linux user (since march of 1992), a big time fan of perl
(php gives me the willies when I try to program it), and prefer CLIs
over GUIs in many situations.  Many linux users are zealots that want
linux to be in everything they have.  Many perl users are anti-php.
Many unix people are anti-gui.  I find that m0n0wall, while neither
based on linux, nor based on perl, nor being CLI based, is exactly
the right tool for my network security needs.  Interestingly enough,
while Smoothwall is based on linux and perl and does have access to its
command line, yet I replaced it with m0n0wall.  That doesn't mean that
smoothwall is bad, just that it wasn't the right tool for my needs.

I hope this doesn't come across as inflammatory, I've really tried to be
calm and objective as much as I can in this email.

thanks for your time,
jim gifford