Re: [cobalt-security] Qube2 Firewall "feature"

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Malcolm McLeary wrote:

> >The Qube2 features IP firewalling, which is a simple form of a firewall,
> >whereby the Qube2 begins to process a packet and determine whether or not
> >it came from an acceptable IP address. This is not a fully functional
> >firewall, and should not be considered such.
> >
> >A firewall is a group of related programs that protects a network's
> >resources from users from other networks. This is usually accomplished by
> >running such software on a dedicated machine, separate from the other
> >machines in an organization's intranet. Using the Qube 2 as a firewall
> >could compromise your security, as it is your server. Such a situation
> >would expose your network resources to outside users.
> 
> So if I read this right, although the feature is called a firewall, its
> isn't and Cobalt recommend NOT to use it.

Cobalt is pointing out that a firewall should really be on a separate
machine.  You shouldn't be connected to your firewall machine by any
method other than one data stream that does nothing except go through
the firewall.

By running firwall software on a box on which you're running something
else you've seriously compromised it's ability to use it as a firewall.

> So why include it at all?

Because you could use the system as just a firewall if you want to. 
Personally, I think it's okay to use a firewall box as a mailserver, and
also as a webserver, but only for insecure sites.

> Can it serve any purpose?

Just stated above.

> I am looking at a situation where NAT is being used so the only "visible"
> host will be the Qube2.  It appears to me that it can only filter packets
> destined to itself, hence you could restrict external access to Qube2
> based services while still permitting internal access to the same
> services.

Until someone finds a hole.

-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
nobaloney.net
P. O. Box 52672
Riverside, CA  92517
voice: (909) 787-8589  *  fax: (909) 782-0205