[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Qube2 Firewall "feature"



Malcolm McLeary wrote:

> >The Qube2 features IP firewalling, which is a simple form of a firewall,
> >whereby the Qube2 begins to process a packet and determine whether or not
> >it came from an acceptable IP address. This is not a fully functional
> >firewall, and should not be considered such.
> >
> >A firewall is a group of related programs that protects a network's
> >resources from users from other networks. This is usually accomplished by
> >running such software on a dedicated machine, separate from the other
> >machines in an organization's intranet. Using the Qube 2 as a firewall
> >could compromise your security, as it is your server. Such a situation
> >would expose your network resources to outside users.
> 
> So if I read this right, although the feature is called a firewall, its
> isn't and Cobalt recommend NOT to use it.

Cobalt is pointing out that a firewall should really be on a separate
machine.  You shouldn't be connected to your firewall machine by any
method other than one data stream that does nothing except go through
the firewall.

By running firwall software on a box on which you're running something
else you've seriously compromised it's ability to use it as a firewall.

> So why include it at all?

Because you could use the system as just a firewall if you want to. 
Personally, I think it's okay to use a firewall box as a mailserver, and
also as a webserver, but only for insecure sites.

> Can it serve any purpose?

Just stated above.

> I am looking at a situation where NAT is being used so the only "visible"
> host will be the Qube2.  It appears to me that it can only filter packets
> destined to itself, hence you could restrict external access to Qube2
> based services while still permitting internal access to the same
> services.

Until someone finds a hole.

-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205




Sun Cobalt and Linux Support by Zeffie.com
A Sun Cobalt and Linux Support Specialist Since 1999
Sun Cobalt Support, Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of Sun Cobalt Updates!
Sun Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
734-454-9117 US Toll Free 800-231-4459

Zeffie's Sun Cobalt User Forums
Zeffie's Sun Cobalt Restore CD's   Zeffie's Sun Cobalt Updates  
Sun Cobalt Users List   Sun Cobalt Security List   Sun Cobalt Developers List

Click here to buy me a drink at the local pub!
(includes tip and paypal fees)

Copyright 2009 by Electronic Consultants Inc.