Re: Netfilter vs commercial

["John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>]

On Mon, 2004-08-09 at 11:30, Michael Gale wrote:
> Hello,
> 
> 	I know this question has most likely come up a few times and most people ask about performance and through put. But my
> question seems to me a little different.
> 
> I would like to know how people on this list ... which I know might be a biased opinion feel how a Netfilter firewall
> box .. properly configured would compare in security to a commercial firewall. 
> 
> I do not want to compare performance or stats on through put but the strength of the firewall. The reason I am asking is
> to at the moment we are using Netfilter based firewalls which I have setup Squid and Frox and many other application
> level filters.
> 
> Now some people in the company want to replace them with CheckPoints or WatchGuard firewalls. Which is fine ... security
> should be done in layers ... but the way I see it I will still need the linux boxes to run squid and frox unless the
> appliance allows you to install software from other sources (most likely not) or use custom config files (like my own
> squid.conf -- most likely not).

It's a difficult question to answer without access to the internals of
the proprietary products.  I would assume the basic stateful inspection
engine of netfilter is weaker than that of Checkpoint.  However, this
may very well be remedied when one adds the window tracking patch.

Other internals remain a bit of a mystery.  For example, if I remember
correctly, one can specify MSRPC as a protocol with Checkpoint and it
will properly handle the port shift.  One the other hand, one cannot do
this in netfilter.  One must open 135/tcp and then all high ports.  Yes,
I know that one should never do this on the Internet but what about
internal firewalling and VPN firewalls.  Now it could very well be that
is all Checkpoint does but they've simplified it in the user interface. 
I do know that we have had to do that with other commercially available
firewalls.

There are two other important issues of security that do not necessarily
relate to the actual internals.  One is how well the management
interface shields one from human error.  For example, this is one of the
chief advantages of the ISCS interface for netfilter
(http://iscs.sourceforge.net).  Not only does it reduce the time to
configure security by over 90% but it dramatically reduces the exposure
to human error.  Unfortunately, it has not yet been released.  On the
other hand, from what I recall, the WatchGuard and Checkpoint interfaces
are really just GUI rule configurators and do little to insulate the
administrator against human error (such as putting a rule in the wrong
order or making it conflict with another subsystem like NAT or VPN).  I
believe all of the other user interfaces for netfilter also fall into
this rule configurator category.

Finally, there is the degree of control.  This is where netfilter has a
distinct advantage.  The degree of flexibility that one has to configure
netfilter to do exactly what one wants it to do by command line or
script or even editing the source code is outstanding.  One can also
tinker with the related subsystems such as iproute2 or *swan to
coordinate various security and network activities to an extraordinary
level.  I do not recall such flexibility in other products.

I do hope this is the type of answer you were looking for - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com