[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature request which would make m0n0wall even better ;)
 Date:  Tue, 27 Jan 2004 11:48:54 -0500
On Tue, Jan 27, 2004 at 11:08:50AM -0500, Mark Spieth wrote:
> This is BAD BAD BAD BAD BAD! I can repeat it some more if you want... A
> firewall should just be a firewall period end of story. If people would
> keep things updated, then it might be a different case, But they won't,
> hell I still see code red attacks out there.. 

For a company network, the firewall should only do firewall.  Separate
secure boxes inside the network should provide additional services.

In a home network, having everything in one box isn't as risky.  For one
thing, home networks aren't "juicy" targets like company networks are.

A real world physical example that might put this into perspective:

    At the last place I worked, we had proximity access cards.  You
    needed the card to get in the front door outside of normal hours.
    You needed the card to access the stairs and elevator from the
    ground floor.  You needed the card to access the machine rooms.
    There is a complicated alarm system, with dialout and cellular links
    to contact the alarm monitoring people.

    In my house, I have 1 key that fits both doors, and I keep the
    doors locked at all times (aside from during egress/ingress).
    I don't have a fancy alarm system.  I have one cat that might love
    an intruder to death.  I have several computers, some expensive home
    entertainment equipment, and standard appliances and furniture.

I don't have as strong or as expensive a security setup at home as they
had at work.  On the other hand, I have less than 30,000 dollars worth of
stuff (that is likely a very high number actually), whereas the company
had several tens of millions of dollars worth of equipment.  Their risk
was greater, so their security measures were greater.

> The end result is and will be that these insecure *nix boxes running all
> this extra software, will get hacked, now personally if you put extra
> stuff on your firewall and it gets hacked, and the hacker then deletes
> all your companies accounting files so that you don't get a paycheck, I
> really could care less, But that won't be the end of it, They will then
> use that hacked box to go hacking other peoples boxes including ones I
> manage and that's where I have a problem. You want NTP etc.. Go buy a
> $25.00 PII300 used box and run NTP behind your firewall, no guarantee it
> won't get hacked, But your chances are much better than running it,
> samba and a whole mess of other things on your box...

In a home, many people *will not* dedicate 5 computers just for
"infrastructure".  1 or 2 perhaps, but even that is a stretch.  m0n0wall
on a soekris has the benefit of looking like a device instead of a
computer.  *grin*  In a home, people often don't have a DMZ, nor do they
generally need one.

If someone is running a network gateway with a lot of extra services
(including firewall, etc), and they are aware of the risks, then if they
get compromised, they will have to live with that.

I personally will be having my firewall only be a firewall (and once I
get my big server rebuilt, I'll turn off DHCP on the m0n0wall and put it
on the server instead).

Also consider that every extra machine you add has an OS and software
that must be kept up to date.  Someone has to manage that machine,
and stay on top of patches.  In a company network those costs are
expected.  In a home network, most people simply want things to work
without having to spend a lot of time making them work.

> Mark