http://www.advogato.org/person/kazen/ Advogato blog for kazen en-us mod_virgule Sun, 7 Sep 2008 10:23:52 GMT Fri, 21 Jul 2000 22:51:38 GMT http://www.advogato.org/person/kazen/diary.html?start=1 http://www.advogato.org/person/kazen/diary.html?start=1 Every once in a while the powers that be throw something at you to make you realize what a bubble you live in. Today was my day. <p> One of my clients is a bank whom I've installed a Linux based firewall for. Earlier this month they contracted a "Security Expert" to audit their entire network. They start off by saying how the firewall is a security risk because "Linux is a public domain operating system where information on firewalls that run on Linux is easily found." Let me just quote here some of their recomendations: <blockquote> Currently, firewall protection is running on a 386 clone running Linux Slackware version 7. After discussing the firewall configuration with the Internet Service Provider, it was determined that IP Chains are implemented for protection against outside intruders. IP Chains is an access-list only based application that does not monitor stateful sessions. This makes the firewall vulnerable to attacks where the TCP sequence numbers can be guessed and potentially compromise [The Bank]'s security. <p> <strong>Recommendation</strong><BR> [name of security company] recommends the purchase of a certified firewall capable of the following features:<BR> Implement an ICSA certified firewall capable of initiating and monitoring stateful IP sessions<BR> Implement a firewall capable of randomizing TCP sequence numbers. </blockquote> And of course it just so happens that it is <em>not</em> Slack 7.0 and it is <em>not</em> using IPChains... <p> Last time I checked things out with nMap the TCP sequence numbers generated by the Linux TCP/IP stack were "Random Positive Increments." ... <p> For most things I do Linux is the best tool for the job, and my customers respect my ability, so it has been a long time since I was actually slapped in the real world with "Linux is less secure because anyone can look at it." Thu, 20 Jul 2000 20:58:07 GMT http://www.advogato.org/person/kazen/diary.html?start=0 http://www.advogato.org/person/kazen/diary.html?start=0 Saw the Salon article reference over at sendmail.net. Decided I like this a lot better than some other implementations. I'm curious to see how it will stand up. Sometimes things can be killed by too much success, I've already seen mention in the diaries of people I admire that, its recently beyond the point when you could read all the diary updates everyday. <P> Here's hoping that my latest project will be to a point where I can ask for help before I find out someone already has a solution...