Great Circle Associates Firewalls
(March 1998) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Linux firewall question.
From: Christophe Dupre <cdupre @ risq . qc . ca>
Organization: RISQ - http://www.risq.qc.ca/
Date: Mon, 09 Mar 1998 10:36:22 -0500
To: Bennett Todd <bet @ rahul . net>
Cc: firewalls @ GreatCircle . COM, speed @ barney . iamerica . net
In-reply-to: Your message of "Fri, 06 Mar 1998 04:24:05 PST." <199803061224 . AA09119 @ waltz . rahul . net> 
> >Am I off base to insist on _not_ using loadable modules.
> 
> No, and maybe:-). It really depends.
> 
> One school of thought says that it's _Always_ better to secure a
> firewall in absolutely every way possible, and that all other things
> being equal simpler is more secure, so doing away with the whole
> module-loading subsystem is a win. Likewise statically link all the
> binaries you don't delete and do away with ld.so and all the shared
> library stuff.
> 
> Another school of thought says to stick close to stock releases and
> don't do a lot of unnecessary custom hacking; leverage as much as
> possible off mainstream upgrades and patches for tracking security
> fixes, and only go non-standard where needed to fix known security
> holes.

Agreed.

Although not using modules may save you memory: each modules takes a certain 
amount of pages, a page being 4Kb of memory. So on average you waste 2 Kb of 
memory per module loaded. This is most probably not much, but on a small 386 
managing a 64 Kb ISDN line, you may put a firewall with only 8 megs (it's not 
trivial to find a 386 with more than that...), and then those few Ks wasted 
mean less memory availlable for network buffers.
This may or may not be an issue, depending on your hardware and network speed.


> I've never heard of any remote-exploitable bug with dynamic module
> loading. If you've allowed an intruder to log in to your firewall you've
> already lost the game; I don't worry nearly as much about
> exploitable-after-you're-logged-in holes as I do about
> remote-exploitable holes.

There's one issue with firewalls allowing module loading: if an attacker gets root, he may load a module that will prevent the administrator to detect the intrusion, such as hide the network connection in netstat, hide the additional processes, hide the additional module...

Regards,
-- 

Christophe Dupre
Analyste de systemes, 
RISQ inc. ;-)
1801 McGill College, suite 800           Tel: (514) 840-1235, ext 6971
Montreal, QC CANADA                      FAX: (514) 840-1244

"Nous ne sommes pas libres de ne pas etre libres, nous sommes obliges de 
l'etre"  -  Fernando Savater

#include <disclaimer.h>
References:
Indexed By Date Previous: RE: Pentagon Hackers Caught!
From: "Moser, Stefan" <stefan . moser @ csfb . com>
Next: Re: Pentagon Hackers Caught!
From: "Ryan Russell" <ryanr @ sybase . com>
Indexed By Thread Previous: Re: Linux firewall question.
From: Bernd Eckenfels <lists @ lina . inka . de>
Next: Re: Linux firewall question.
From: "Patrick Jordan-Smith" <patrick . jordan-smith @ teltrend . co . nz>
Google
 
Search Internet Search www.greatcircle.com