[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Feature creep vs. security
 Date:  Tue, 27 Jan 2004 12:59:06 -0500
On Tue, Jan 27, 2004 at 12:01:42PM -0500, Mark Spieth wrote:
> >> In a home network, having everything in one box isn't as risky.  For
> one
> >>thing, home networks aren't "juicy" targets like company networks are.
> This is an extremely incorrect statement, Infact most script kiddies
> (which comprise most of the hacking attempts) do huge scans on network
> addresses they have no idea who they are hacking, and would hack a home
> machine first, you are less likely to get caught or even have the end
> user know the system was compromised. Once the home machine is hacked
> they will then use it to go after other systems. 

You are correct, that statement taken out of context is just plain wrong.

The point I obviously didn't make clearly enough is this:  Given
a network with a edge device performing firewall functions, with no
externally accessible services, a corporate network is a juicier target
for crackers than a home network.

If a provider's IP address space is scanned, and 50% of the machines
have a firewall of some type, and the other half don't, the scanners
will simply skip the ones that are protected and go for the easy kill.

And the simple fact of the matter is that those cheesy boxes from d-link
and linksys provide a sufficient amount of protection for most home
users, even though I would argue that they aren't true firewalls.

I fear this thread has gotten way off topic, and I'm afraid that I
contributed to that.  I apologize for that.  Here's an attempt to get
back on topic

My opinion about feature creep in m0n0wall:  I love m0n0wall the way it
is, and have no wish for any other features.  In my mind, it has achieved
the target.

I recognize that it might not meet all the needs of all the current
users.  Some things might make sense to add to m0n0wall in the context of
a SOHO router/firewall/nat box.  I have confidence in Manuel's vision for
m0n0wall and believe he will not bloat the software.

If some new feature (like say, NTP serving on internal interfaces) is
added, I don't have a problem with that, as long as I have the option to
disable it.

If m0n0wall starts to bloat beyond what is acceptible to me, I always
have the option of building my own firewall system.  That's what Manuel
did when he built m0n0wall.  That is a decision I will have to make for
myself if that point ever arrives.  I seriously doubt it will.  After
all, I have to admit I used smoothwall for several years even when I
didn't like parts of it.

If someone wanted to build a kitchen-sink system based around the m0n0
design, I might even enjoy helping with that.  But I would still want
a minimal firewall for myself.

I would hate to see m0n0wall itself become something like a fileserver.
I personally feel that type of function doesn't belong in an edge device.
Someone backing their system up to the fileserver shouldn't affect
internet access performance, and in such a device it certainly could.

On a side note, I just ordered 2 4801s, one for myself and one for my
parents, to be running m0n0wall.  I think this will reduce my support
load with my parents, and will reduce space requirements in their already
crowded computer room.  Besides, that machine they're currently using
could make a decent linux play machine for dad.

Thanks everyone for all the lively discussion.  I have enjoyed it.
Again, I apologize for the extent of the tangent.