I'll give it to the WRT54G that it fits the category of a packet filtering
FW router, unlike the other Linksys products that I have seen and used but
I am being told otherwise.
Anyone have any comments on this I would appreciate it?
Duane :)
Thanks
You would not believe what I am going through in a wireless NG about a 54G
and a WG. :)
Duane :)
>I am being told that because the WRT54G Linksys NAT router uses NAT,
>IPtables, SPI and proxies it is now considered to be a FW appliance like a
>Watchguard.
>
If it's running the excellent sveasoft firmware, I would consider it to be
such.
greg
--
"Access to a waiting list is not access to health care"
Are you referring to the 3 categories [res, smb, corp] of ICSA labs 4.1
firewall certification or something else, ie some other certification?
I guess I'm asking -- 'does certification as a firewall = ICSA labs 4.1
certification as any category above, or does certification as a firewall
mean something else?'
--
Mike Easter
>> If it's running the excellent sveasoft firmware, I would consider it to be
>> such.
>
>Send me a link to where it's passed any certification as a firewall.
Which has *what* to do with the price of fish ?
Try persuading me that the OpenBSD packet filter
http://www.openbsd.org/faq/pf/index.html
as used on OpenBSD, NetBSD & FreeBSD somehow isn't a firewall because it's
lacking 'certification'. Better still ask Theo that question.
Better still please tell the audience why IPFilter
http://coombs.anu.edu.au/~avalon/
which runs on over half a dozen platforms and is shipped and supported by
Sun as standard on Solaris, is lacking in the firewall dept just because
it lacks thinly disguised marketing bollocks called 'certification'.
I refrain from recommending products purely on the basis of a tickbox
marked 'certification'.
If you had spent five minutes figuring out how and why Sveasoft manages to
convert a so so broadband router into a truly useful firewalling
*appliance*,
Then you wouldn't have asked such a profoundly daft question.
http://www.sveasoft.com/content/view/3/1/
Alchemy includes many feature additions over the Linksys standard firmware
including:
Hotspot portal
PPTP VPN server
Two-way bandwidth management (includes P2P, VoIP, IM)
SSH client and server
Telnet
Startup, firewall, and shutdown scripts
WDS repeater mode
Client mode (support multiple attached devices)
Adhoc mode
OSPF routing
RIP2 routing
Power boost to 251 mw
Antenna select
Static DHCP address assignments
Additional DDNS support
Wireless MAC address clone
VLAN support (hardware only)
WPA over WDS
WPA/TKIP with AES
Client mode WPA
Client isolation mode
P2P blocking/bandwidth management (Gnutella, Kazaa, etc)
Port triggering
Wake-On-Lan
Remote syslog
Remote Ntop statistics
SNMP
Safe backup and restore
Reset on firmware upgrade
Status includes system uptime and load average
Status for wireless clients and WDS
Site survey
Remote NTP server support
Supports new WRT54G V2.2 and WRT54GS V1.1 models
When I was trying the link I get this respond:
Warning: Cannot modify header information - headers already sent by
(output started at
/usr/local/www/html/icsa/common/sql/productfield.inc:48) in
/usr/local/www/html/icsa/common/common.inc on line 4
Is there some ather links that I can try insted?
Regards Andersajja.
I used googleweb for the site icsalabs.com on product.php and then I
'adjusted' toward firewall from the antivirus section where I landed and
got
https://newlabs.icsalabs.com/icsa/product.php?tid=fghhf456fgh
--
Mike Easter
>> Better still please tell the audience why IPFilter
>>
>> http://coombs.anu.edu.au/~avalon/
>>
>> which runs on over half a dozen platforms and is shipped and supported by
>> Sun as standard on Solaris, is lacking in the firewall dept just because
>> it lacks thinly disguised marketing bollocks called 'certification'.
>
>If it's not been certified then how do you know it's really a firewall
>with REAL ability to protect? If there are no certifications, then what
>do you really know about the product?
If you need to ask that question, you really shouldnt be working as an IT
security professional.
Certification tells you SFA about any product or individual.
>If there is a standard acceptable level of protection, that seems to be
>accepted by the security community,
There isn't. RTFSP on all ICSA reports.
>Are you suggesting that all government agencies and corporate entities
>should be able to use IPFilter to reliably protect their LAN/DMZ areas
>because you say it's good enough?
A non sequitur. 'I' am not saying anything about it's utility. 'I' am
pointing out the fallacy in your argument.
'I', have built secure environments for customers using all of the above
and some, because 'I' personally have taken the products in question and
tested them to such an extent that 'I' personally was satisfied with their
fitness for purpose.
Putting any security product into a customer site purely on the say so of
some untrusted third party is profoundly irresponsible.
>> I refrain from recommending products purely on the basis of a tickbox
>> marked 'certification'.
>>
>> If you had spent five minutes figuring out how and why Sveasoft manages to
>> convert a so so broadband router into a truly useful firewalling
>> *appliance*,
>>
>> Then you wouldn't have asked such a profoundly daft question.
>>
>> http://www.sveasoft.com/content/view/3/1/
>
>Sure I would, as I don't see any certifying agency that claims it's
>secure.
Which has *what* to do with installing *anything* for ones customers.
You have personally tested everything you sell just to confirm that it does
exactly what it says on the tin ?
You are aware that marketing BS in no way reflects the real world
capabilities of any product ?
You are aware of the dictum 'process not product' ?
>I could push anything out there and "say" it's a firewall too,
>but until it's been tested against the industry standards and passed,
>there is no valid way to know just how good it is.
Uninformed nonsense.
>Maybe daft is believing that you don't need third-party validation of
>something that protects your home/business/corporation.
Will this '3rd party' indemnify me and/or my customers if their testing
and/or methodology is found wanting.
Who will my customers blame, if I install any product purely on the basis
of some 'third party validation' (to which I had no input) which was found
wanting in either performance or fitness for purpose ?
>[snipped list of features]
>
> When it's been tested by a certifying agency and passes, then it's a
>firewall,
No it damn well isn't. Read the small print.
> until that time we/you can hope that it's a firewall.
ROTFL! When was the last time you did a penetration test.
>>> until that time we/you can hope that it's a firewall.
>>
>> ROTFL! When was the last time you did a penetration test.
>
>Let me explain this one more time, read it slowly:
>
>Just because someone comes out with new firmware for a NAT Router, that
>does not make it a firewall no matter how many "features" the say they
>have added - at the same time, it does not mean it's not a firewall.
Oh yes it does if one can install a stateful filtering policy on it which
passes penetration testing and meets audit requirements for both the client
and the vendor.
A Cisco router with a firewall feature set is a firewall.
A 1U rack server running www.pfsense.org is a firewall.
A Linksys WRT54G/GS running iptables (spit) with stateful connection
tracking is a firewall.
It's running the exact same netfilter code as
http://www.astaro.com/firewall_network_security/firewall_asg
http://www.smoothwall.org/
etc etc etc.
Those are the facts.
> The
>problem is that unless it's been tested and inspected by some reputable
>company/organization, there just isn't any way to have a basis for its
>acceptance as a firewall. Notice I said tested and reputable in the same
>sentence.
You're now attempting to move the goalposts from 'certification' to 'tested
and inspected' by some allegedly reputable company/organisation.
>As for secure networks and testing, I design secure networks for a living,
>and I've been at it for a long time - we've never had a single compromised
>customer in our history and I've never had a compromised network as long
>as I've been around. I don't install unproven technology, don't believe in
>marketing hype, don't believe certification proves that something is
>perfect, but, I will start with certified products as a basis for
>consideration over non-certified products, then test them in our shop,
>test then in the field, and if they pass all of our tests, then I will
>test them with select customers and then finally will start using them in
>customer solutions on a regular basis.
Oh puhleeze, enough with the ex post facto back pedal already.
Back in the real world, PF, IPFilter and IPTables (spit) based firewalling
solutions are used to protect networks globally.
Some of us do have customers who require high packet rate gig-e solutions,
but cannot afford the arm an a leg Crisco would charge them for a 535 +
annual maint.
Some of us do have customers with stringent audit and logging requirements
to comply with double 7 double 9.
IT security professionals with even a modicum of clue, are aware of the
capabilities of all mainstream stateful packet filtering software, not just
that which comes with a pretty ICSA labs sticker + price tag.
>Now, before you get your dander up, I have nothing against the new
>firmware or the NAT routers used in Home solutions, in fact, for home
>users I always recommend a NAT solution as the first barrier device in
>their protection. At the same time, I don't believe something is a
>firewall just because I've read it on Usenet/Web/Print, and I almost never
>believe marketing speak, and I trust my ability to test and confirm a
>secure solution.
You have absolutely no idea what's running inside a wrt54G/GS now do you,
be a man, admit it.
You don't appear to realise that the GS model has for example, hardware
vlan tagging on its 4 port switch.
Functionality which Sveasoft makes available to the end user.
You appear to have no notion that, that little 70 buck box can statefully
packet filter between all 5 fast-e interfaces at pretty close to wire speed
as a consequence.
You don't appear to appreciate the appeal of having something cheap and
cheerful which can sit in the big bad world providing enterprise WPA
courtesy of inbuilt radius/1x support.
Something which can take of itself and provide tunnel endpoints at a price
point significantly cheaper than VPN concentrator.
>You seem to be asking me, and all of us, to believe that something is a
>quality firewall without any certification
A daft hair splitting non sequitur.
1st you claim that it couldn't possibly be a firewall without some form of
'certification'.
When I point out that Sun are shipping *and* supporting IPFilter on Solaris
9 and 10, you try and change tack from that ridiculous position to that of
'tested and inspected' (sic) by a reputable company.
Now you're back to certification nonsense again.
>- and I don't know many people
>that are willing to risk their business reputations on unproven solutions
>without independent confirmation.
Give it up already,
IPFilter has been securing networks globally for a decade.
OpenBSD by implication its packet filter have been the recipients of DARPA
funding.
The notion that either are 'unproven solutions' is laughable nonsense.
If you want to make a living selling ICSA 'certified' chocolate Fireguards
, by all means do so.
However that doesn't make them some how better as a solution for customers.
Security is a process *not* products.
... more simplistic /non/-/sequiturs/ doesn't make it valid.
>You seem to be asking me, and all of us, to believe that something is a
>quality firewall without any certification - and I don't know many people
>that are willing to risk their business reputations on unproven solutions
>without independent confirmation.
Point in fact: OpenBSD is widely reputed to be the most secure
system commonly available.
1) No system using it is certified by your "reputable"
certification agency.
2) OpenBSD itself is not certified by your "reputable"
certification agency.
From that we can draw two obvious conclusions:
1) Lack of said certification means nothing.
2) Your logic is invalid.
More verbosely, that means you *can* use ICSA certification to
suggest that a particular certified device is probably suitable;
but you *cannot* say with any validity that a non-certified
device is therefore unsuitable (which is what you have stated).
Regardless, none of this applies to the OP's original question,
which had *nothing* to do with some technical level of quality
for a firewall. He asked if Linksys equipment is any different
than the Watchguard devices marketed as "FW appliances". The
answer is that there is no difference. Several of the
Watchguard devices (which are not ICSA certified either) that
are marketed as "FW appliances" have virtually identical or
lesser capabilities than the Linksys device specified.
By *any reasonable* definition they are all firewalls. Whether
they are top of the line, fully featured, or the most secure, is
of course neither here nor there in regard to the OP's question.
What the OP has been falsely claiming, and you and at least one
other person seem to being supporting, is that because the
*high* *end* Watchguard devices are high quality the low end
devices are therefore acceptable by default; and then you do not
extend the same bypass to Cisco's low end devices apparently
because they use the Linksys brand name.
The fact is... the WRT54G is a better firewall than the
equivalent Watchguard devices, and comes at a significantly
lower cost too. They are *both* suitable for many or most SOHO
needs, and neither are suitable for any network that requires
the best firewall technology available.
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) fl...@apaflo.com
> On Sat, 30 Jul 2005 05:58:53 GMT, Duane Arnold <no...@notme.com>
> wrote:
>
>>I am being told that because the WRT54G Linksys NAT router uses NAT,
>>IPtables, SPI and proxies it is now considered to be a FW appliance
>>like a Watchguard.
>>
>
> If it's running the excellent sveasoft firmware, I would consider it
> to be such.
>
>
> greg
So the out of the box firmware you would just consider it to be packet
filter FW?
Duane :)
>Leythos <vo...@nowhere.lan> wrote:
>>
>>Just because someone comes out with ...
>
>... more simplistic /non/-/sequiturs/ doesn't make it valid.
>
Quite.
>> If it's running the excellent sveasoft firmware, I would consider it
>> to be such.
>So the out of the box firmware you would just consider it to be packet
>filter FW?
Out of the box firmware has *exactly* the same features as those
mentioned above. Sveasoft firmware adds other features, and
provides significant flexibility in *configuration* of those
features.
(And this has all been explained to you previously *in detail*,
in a thread on alt.internet.wireless.)
Why are you making "authoritative" pronouncements about a product
you are not familiar with, instead of asking for advice from
people who are?
>It's not about if it's a firewall or not, it's about having some
>reputable company say that it is and provide testing results that
>indicate it is.
The questions asked were *not* about certifications. That was
*your* response, which does *not* provide a valid answer.
>What you and Greg fail to see is that I don't have a problem with it
>being a firewall, don't dispute that it may indeed be a firewall, but I
That isn't what you've said... and that would be nice
back pedaling except...
>As I said before, show me where it's been tested by some reputable
>company/organization, with links to the testing process and results, and
>I've believe it's a firewall. Until that time it's just lip service.
You just said you don't dispute that it is a firewall, and then
again you say that it isn't. Mince weasel words if you like,
but such obvious logical contradictions reflect on all of your
conclusions.
>Oh, to make it clear, we don't sell any products, don't sell Watchguard,
>we install most of the large players devices, and are happy with most
So you have no actual knowledge about *any* of the devices that
the OP asked about. Okay...
>Don't read into what I typed, show me links to reputable testing results
>or to a certification and I'll consider the firmware to have provided
>true firewall functionality, until I can read independent test results I
>see no reason to trust the assertions you and Greg make about the 54g.
I see no reason to trust assertions you are making. You admit
to no special knowledge about the specific equipment, and make
illogical references to certification of alternate products by
one company and not for the other, and then only for high end
equipment costing 10 to 100 times as much.
Moreover, your "certification agency" requires a paid contract
from the vendor before a product will be evaluated, and
certification will be dropped if the contract is not kept
current!
It still reduces to the fact that ICSA certification probably
does suggest that a given product meets at least minimum
standards while a lack of ICSA certification means *absolutely*
*nothing*. Your comments are logically invalid because they
have all been based on lack of certification.
There are points of interesting significance about the ICSA
certifications though, which should not go unnoticed. I
mentioned previously the lack of any reference at all to
OpenBSD, and that *clearly* restricts the idea that ICSA
certification is in any way a broad based definition of what is
or is not a viable firewall.
That is a negative inference, but there is at least one positive
point that can be inferred too. A simple count shows that ICSA
has certified more than 20 devices using the Linux OS, offered
by a diverse group of 9 different vendors. No other specific OS
is listed with anything like that number of units or vendors.
The obvious conclusion that can be drawn is that non-proprietary
Linux solutions provide top quality firewall functionality.
Both Watchguard and Linksys use Linux based firewalls on
equipment that has not been certified by ICSA. Some of the high
level Watchguard devices using Linux have been certified, while
Cisco, owner of Linksys, uses a proprietary OS on high end
devices.
>>As it is now, unless we inspect the code, line by line, and then run a battery
>>of tests against the inside and outside interfaces, we don't know if it's
>>a firewall.
>
>I bet you wish you never wrote that. You realize what you just did,
>don't you? Besides making yourself look like a drooling idiot, you
>just proclaimed that every single "firewall" (read Watchguard) you've
>ever sold or installed isn't really a firewall. That single sentence,
>all by itself, completely destroys any shred of credibility you
>thought you might have. I don't think I need to spell out why, but
>I'll be happy to, if need be.
I was going to say something, but it felt too much like shooting fish in a
barrel.
And neither are the Watchguard models that have been compared to
it. Other than costing a great deal more and having fewer
features, they aren't really any different.
>> So you have no actual knowledge about *any* of the devices that
>> the OP asked about. Okay...
>
>I have a lot of first hand experience and knowledge about the devices
>asked about - but my searching about the 54g and it's firmware still
>does not find any reputable authority that's tested it and published the
>results.
I find that to be an amazing statement, given the other things
you have said! You are aware that none of the Watchguard
wireless units have ever been certified either, right? And that
none of the ones cited as comparable (meaning they only cost 4
times as much) have been certified.
>> I see no reason to trust assertions you are making. You admit
>> to no special knowledge about the specific equipment, and make
>> illogical references to certification of alternate products by
>> one company and not for the other, and then only for high end
>> equipment costing 10 to 100 times as much.
>
>WFT are you talking about - I don't make an assertions, you are, you
>seem to want everyone to believe that the 54g with third-party firmware
>is a secure firewall appliance, but you offer no reputable verification
>of it's testing.
And now that the WRT54G has been around for a couple years or
so, tell us just how many reports of security problems have
shown up? And how many is that compared to Watchguard's
certified units???
:-)
>> Moreover, your "certification agency" requires a paid contract
>> from the vendor before a product will be evaluated, and
>> certification will be dropped if the contract is not kept
>> current!
>
>I have already said, certification or other independent
>agency/organization, but you keep missing it and keep calling it back-
>pedaling - but I see that you still can't provide any validation for the
>product.
You can't provide any for the Watchguard Firefox SOHO 6 units
that have been compared to it either.
Or do you actually expect home users to spend a few grand for a
certified high end firewall?
>> It still reduces to the fact that ICSA certification probably
>> does suggest that a given product meets at least minimum
>> standards while a lack of ICSA certification means *absolutely*
>> *nothing*. Your comments are logically invalid because they
>> have all been based on lack of certification.
>
>And you continue to expect people to believe that because some third-
>party firmware is loaded into a router and claims to be secure, with no
>reputable verification, that it's a firewall that everyone should trust?
>Ha!
So where are the reports of how poorly it performs? In fact it
uses the *same* Linux firewall that is used in several certified
models. Is the same true of all the Watchguard units???? Or
only of those Watchguard units using Linux?
>> Both Watchguard and Linksys use Linux based firewalls on
>> equipment that has not been certified by ICSA. Some of the high
>> level Watchguard devices using Linux have been certified, while
>> Cisco, owner of Linksys, uses a proprietary OS on high end
>> devices.
>
>Here is the only thing you need to remember/take away from this
Actually, the thing anyone will likely take away from this
discussion is that you are not being logical or practical either
one. I have no idea what is driving your comments, but they are
irrational.
>discussion - you are proposing that people believe in an uncertified and
>unverified (by independent company/organization) product because you say
>so. You offer no proof that the third-party firmware for the router is a
>reliable firewall product that's PROVEN by some group, agency,
>certification authority, to back up your claims.
Well, you know none of my computers are certified to C2 security
either. Are yours? If not, why not? How can you possibly
sleep at night knowing you have equipment that is uncertified
and unverified by someone to meet the necessary standards for a
secure computer system?
My bet is that your DSL or Cable modem is not certified either
(except by UL or Consumer's Union to not be either a fire
hazard or likely to electrocute you).
Did you get independent certification for the CPU in your
computers? How do you know they *really* can do IEEE math
without errors????
Just like all of the Watchguard boxes that have been recommended...
> Duane Arnold <no...@notme.com> wrote:
>>Greg Hennessy <m...@privacy.org> wrote:
>>>Duane Arnold <no...@notme.com> wrote:
>>>
>>>>I am being told that because the WRT54G Linksys NAT router uses NAT,
>>>>IPtables, SPI and proxies it is now considered to be a FW appliance
>>>>like a Watchguard.
>
>>> If it's running the excellent sveasoft firmware, I would consider it
>>> to be such.
>
>>So the out of the box firmware you would just consider it to be packet
>>filter FW?
>
> Out of the box firmware has *exactly* the same features as those
> mentioned above. Sveasoft firmware adds other features, and
> provides significant flexibility in *configuration* of those
> features.
>
> (And this has all been explained to you previously *in detail*,
> in a thread on alt.internet.wireless.)
>
Stick it FF when I post to you, you'll know it. ;-)
Duane :)
> Now, let's move on to something that is actually relevant, like why
> you claimed it would only be a firewall if could tell real HTTP
> traffic from bogus traffic on port 80. Inquiring minds want to know.
>
> Just what are your minimum basic requirements for a firewall? They
> seem to be rather vague at best and ever-changing. A common theme
> seems to suggest that if it doesn't stack up to a Watchguard it isn't
> a real firewall.
>
Real firewalls need to do more than just port and address blocking. They
actually look at the traffic. They watch the TCP handshake, etc. They
look INTO the packets - bogus sequence numbers are dropped, etc.
Better ones actually are layer 7 aware - they look at what is going on
at the app layer. Some have "snort like" intrusion detection
functionality. Some have anti-virus and anti spyware capability.
--
DO NOT REPLY TO THE EMAIL ADDRESS
IN THE HEADERS OF THIS POST.
IT IS A SPAM TRAP ADDRESS.
Duane :)
> You're too stupid to know what a firewall is, so I don't expect you to
> remember that I never said any such thing. Lying and false
> accusations make you look more stupid than ever, if possible.
I have been reading the posts here and to tell the truth you are the stupid
one. Leythos is well respected in this newsgroup and he knows what he is
talking about and has helped a lot of people including myself. Before you
give a negative response to this post I want to see a link posted so we can
see the results of the third party firmware testing of the Wrt54G being a
true firewall. If you don't post the link or say anything about then we all
know who is the stupid one now won't we. Another thing don't bash good
people who know what they are talking about.
>> >I bet you wish you never wrote that. You realize what you just did,
>> >don't you? Besides making yourself look like a drooling idiot, you
>> >just proclaimed that every single "firewall" (read Watchguard) you've
>> >ever sold or installed isn't really a firewall. That single sentence,
>> >all by itself, completely destroys any shred of credibility you
>> >thought you might have. I don't think I need to spell out why, but
>> >I'll be happy to, if need be.
>>
>> I was going to say something, but it felt too much like shooting fish in a
>> barrel.
>
>It's quite simple, and you two seem to be trolling a lot
Au contraire, skewering a fallacious position is not trolling.
Attempting to conflate anything about the efficacy of watchguard products
from a handful of those which are 'certified' is indeed fallacious.
>- if you can't
>post a link to a reputable company that certifies it as a firewall then
>it's still just a test project or a hope-to-be firewall solution.
What 'it' are you referring to.
You have been informed of ISCA certified solutions which are based on
Netfilter.
You have been informed that Sun ship and support IPFilter on Solaris.
You have been informed that the OpenBSD Packet Filter is part and parcel of
what is freely accepted de-facto and and de-jure as the worlds most secure
general purpose unix like OS.
>In article <lo3cf1tv907nakec4...@4ax.com>, m...@privacy.org
>says...
>> You have been informed of ISCA certified solutions which are based on
>> Netfilter.
>>
>> You have been informed that Sun ship and support IPFilter on Solaris.
>>
>> You have been informed that the OpenBSD Packet Filter is part and parcel of
>> what is freely accepted de-facto and and de-jure as the worlds most secure
>> general purpose unix like OS.
>
>Keep trying to infer that the third-party solution based on the 54g
>hardware
I haven't mentioned the wrt54g anywhere in the article quoted.
Do keep up at the back dear boy.
>is anything other than a test/toy/project until it's been
>certified and you show how nothing towards it's being proven as a
>firewall product.
I'll remind the poster that I am not the asserting that some form of
'certification' is required before anything can be considered as a
firewall.
>Keep avoiding the truth, keep avoiding facts,
That is projection on your part.
The facts have been stated repeatedly.
They don't suit you or your propensity to flog Watchguard products.
I'll also remind the poster that his argument has changed repeatedly
throughout this thread.
1st it was 'certification'
2nd was 'reputable' companies
3rd was demands to audit the source code.
>'show me the money' as in
>a link to some reputable organization that identifies the 54g + third-
>party firmware as a fully qualified firewall, the testing methods, the
>results, and then you don't have to keep waving your arms and trying to
>prove something without any proof.
Attempting to divert the discussion will not change the facts.
You're the one who shot yourself in the foot with this line.
"As it is now, unless we inspect the code, line by line, and then run a
battery of tests against the inside and outside interfaces, we don't know
if it's a firewall."
You are the one who has 1st claimed that certification is somehow
'required'.
You are the one who has repeatedly ignored the fact that the ICSA have
certified firewalling solutions based on netfilter.
You are the one who has repeatedly ignored the fact that Sun ship and
support IPFilter with solaris.
You are the one who is trying to claim that the OpenBSD packet filter
somehow is not a firewall.
You are the one who cannot address a single point in
http://groups.google.com/group/comp.security.firewalls/msg/d85775fc547a8b6c?dmode=source&hl=en
Attempting to split hairs will not change the google record.
>You need to separate what are good products from fact - the fact is that
>you don't have a leg to stand on, you only have "speculation".
As with the rest of the wibble you've posted of late, that sentence doesn't
make sense.
Now do yourself a favour and retire while you have a modicum of grace left.
This thread *started* on that subject, but has long since drifted
to be primarily a discussion of your biases and the foolish
statements you make attempting to support them. It has very little
technical value, but is certainly good for grins and giggles.
>I'll remind everyone that until it's been proven to be a firewall by
>some independent authority on the matter as accepted by the community,
>that it's not a firewall either. It's a project or a kludge or a test or
>some other measure, but it's not certified so we don't know if it even
>passes simple filtering testing.
And of course the only acceptably "independent authority" is the
one that certifies your choice of biases, and everything else is
all of that derogatory verbosity. Tsch tsch... just, it ain't true!
>> They don't suit you or your propensity to flog Watchguard products.
>>
>> I'll also remind the poster that his argument has changed repeatedly
>> throughout this thread.
>>
>> 1st it was 'certification'
>>
>> 2nd was 'reputable' companies
>
>1 and 2 are part of the same, but I don't expect someone like you to
>understand that.
Like a lot of things you say, that isn't true.
>> 3rd was demands to audit the source code.
>
>I didn't ask that it be audited, again you show that you don't know what
>you're talking about.
If looking at it line by line isn't auditing the source code,
what do you want to call it?
...
>> "As it is now, unless we inspect the code, line by line, and then run a
>> battery of tests against the inside and outside interfaces, we don't know
>> if it's a firewall."
...
>Yep, sure did. I said that. I stand by it - without any certification to
>state it's a firewall, without any independent testing by a reputable
>company, without any proof that the combination is a true/quality
>firewall, the only thing we have left is to the the evaluation on our
>own.
Quoted right there, followed by admission that you said it and
meant it. You can't even get it straight within one article,
never mind between articles as the thread moves on.
>> You are the one who has repeatedly ignored the fact that the ICSA have
>> certified firewalling solutions based on netfilter.
>
>And none of those certifications apply the 54g and third-party firmware
>combination that this thread is about. NOTHING in the certification you
>mention has anything to do with the 54g and third-party firmware.
It reflects on many statements you've made about just what is a
"real" firewall, and what is not. You've claimed that many of
the *best* firewalls are not "real firewalls".
>> You are the one who has repeatedly ignored the fact that Sun ship and
>> support IPFilter with solaris.
>
>And they don't have any statement on their site standing behind the 54g
>and the third-party firmware as being a reliable/proven firewall
>combination. They don't mention it anywhere (and I searched), so, got
>any more diversionary tales?
But we clearly do know that the very same software, when
certification is *paid* *for*, passes.
>> You are the one who is trying to claim that the OpenBSD packet filter
>> somehow is not a firewall.
>
>I've never claimed that BSD and IPFilter is not a firewall, I've said
You have done that on many occasions, including in this very
article. But you don't seem to understand the significance of
your statements.
>that unless the installation is certified/tested, that there is no way
>of knowing if it was setup properly as a firewall, if it's acting as a
>firewall, as a matter of fact, there is no way of knowing what it's
>doing. Just because one loads BSD on a box, then installs IPFilter, it
>doesn't make it a firewall.
Hilarious. OpenBSD is widely accepted, whether it is certified
or not, as *the* most secure system available.
>What a doofus you are - I have only stated that without certification
>and/or testing by a reputable company, that there is no means (short of
>self testing) to know if the device/firmware combination is a firewall.
Personally, I think certification by a reputable company is
indeed useful. It is also not the most reliable measure, nor
anything like the best or the only measure. It is *not* an
absolute requirement.
I rather believe that the Open Source paradigm is in itself the
best selector of reliable safe software. The reputation of
IPtables and IPFilter (Linux and OpenBSD) in the world of Open
Software is probably the highest possible recommendation
possible for a firewall.
It means a *lot* more than Watchguard paying a subscription to
ICSA to get a product certified.
>> Attempting to split hairs will not change the google record.
>
>Neither will your complete lack of understanding in the subject area of
>Firewalls or security.
Clearly people who disagree with you are not totally lacking in
that subject area. Moreover they seem to have a significantly
better *perspective* on computing and security as a whole, which
is why they don't have to rely on "certification" as a go/no-go
indicator the way you do.
>> Now do yourself a favour and retire while you have a modicum of grace left.
>
>If you go back and look at your post, it's clear to me that you don't
>have even the slightest grasp on this thread or what it's about. That
Obviously a bit of projection. He did understand, you didn't... as
you very handily showed in this article.
>you don't understand what a firewall is, that you don't understand
>testing or certification methods, and that you can't separate a
>test/project from the real thing.
Broad, sweeping, statements... which are clearly untrue, do not
make your case no matter how often or boldly you make them. All
that does is make it *clear* that you cannot keep these topics
in perspective, and run away with ego protection mechanisms
every time someone disagrees with you.
>>> "As it is now, unless we inspect the code, line by line, and then run a
>>> battery of tests against the inside and outside interfaces, we don't know
>>> if it's a firewall."
>...
>>Yep, sure did. I said that. I stand by it - without any certification to
>>state it's a firewall, without any independent testing by a reputable
>>company, without any proof that the combination is a true/quality
>>firewall, the only thing we have left is to the the evaluation on our
>>own.
>
>Quoted right there, followed by admission that you said it and
>meant it. You can't even get it straight within one article,
>never mind between articles as the thread moves on.
I have noticed that our friend has decided to set x-no-archive of late, so
that the google record cannot come back to haunt him.
Intellectually dishonest as well as completely out of his depth.
>>And they don't have any statement on their site standing behind the 54g
>>and the third-party firmware as being a reliable/proven firewall
>>combination. They don't mention it anywhere (and I searched), so, got
>>any more diversionary tales?
>
>But we clearly do know that the very same software, when
>certification is *paid* *for*, passes.
He doesn't appear to comprehend that bit.
>>> You are the one who is trying to claim that the OpenBSD packet filter
>>> somehow is not a firewall.
>>
>>I've never claimed that BSD and IPFilter is not a firewall, I've said
>
>You have done that on many occasions, including in this very
>article. But you don't seem to understand the significance of
>your statements.
I took one look at that piece of idiotic denial and assumed the "I cannot
be arsed....." position.
>> >Keep trying to infer that the third-party solution based on the 54g
>> >hardware
>>
>> I haven't mentioned the wrt54g anywhere in the article quoted.
>
>But, and you can't deny this, you keep butting in about BSD and IPFilter
>in a thread about the 54g where the group is talking about the merits of
>the 54g and some third-party firmware as being a quality firewall
>device.
Quelle surprise, yet again, our friend is trying to divert the discussion
away from the fact that *you* have made a complete ass of yourself by
claiming that industry standard packet filtering software which isn't ISCA
certified cannot be a firewall.
[fallacious irrelevance binned unread]
Duane :)
>In article <a86ef1tn94a2j5v7d...@4ax.com>, m...@privacy.org
>> Quelle surprise, yet again, our friend is trying to divert the discussion
>> away from the fact that *you* have made a complete ass of yourself by
>> claiming that industry standard packet filtering software which isn't ISCA
>> certified cannot be a firewall.
>
>And you keep stating that an unproven solution with no reviews by a
>reputable firewall certification/testing company/organization
You've been told more than once already that Sun ship and support IPFilter
as standard with Solaris.
You could try claiming that Sun and Solaris are somehow 'unproven'......
> is a
>proper firewall good for protecting people as any certified firewall is.
To those of us whose real world knowledge extends a mite beyond marketing
material, the answer is yes.
I've detailed one example of that already.
>So, I expect that you want everyone to believe that anything you post is
>always true, that anything you call a firewall, even a toaster, is
>really a firewall?
Oh Gawd, Mr Non Sequitur strikes again.
The rest didn't give you a bit of weasel room, eh.
>While a properly setup BSD box with IPFilter qualifies as
>a firewall,
So now you are contradiction everything you said previously.
>there is no way to know if the solution passes as a firewall
>solution without testing it.
And even the next phrase.
You know, it either is a firewall, or it isn't. The fact that a
BSD box can be misconfigured by a user is no different than that
*any* of the units certified by ICSA can also be misconfigured.
>If a specific configuration is certified or
>tested against, then the testing method and results posted, we as users
>can be certain that the specific solution passes the specific tests that
>may or may not apply to us.
How will "a specific configuration is certified" help a specific
customer who will *never* use that specific configuration?
Your ICSA certification is *clearly* worthless for what you are
claiming.
>Open source, while a great idea, does not indicate any reliability or
>measure of quality or even any sense of security - it seems that you've
>failed to see all of the updates for Linux and it's variants, for the
>open source mail servers and other services....
It seems that I *have* seen all the updates for Linux. The
problem is that neither I nor anyone else gets to see the
updates for any of the non open source systems that ICSA has
certified.
>Having a solution based on Open Source development is no more a
>recommendation than is one from Apple or Microsoft - until it's been
>proven it's just a test/project/toy.
Cough laugh giggle. You are so naive it is just astounding!
There is no comparison, and Open Source wins head down going
away. (I wouldn't touch an Apple or Microsoft "firewall",
certified or otherwise, if you paid me.)
Are you afraid of what you say?
And I doubt that anyone is paying you any money for using the FW of the
Gods either North in Alaska with the 54g ;-)
Only to you is anyone afraid of saying anything, since you're such a lunatic
and will go off the deep-end up there North in Alaska with Linux *software
of the Gods* and the 54g mistress. ;-)
So you were using "XNA" before it was invented, or did anything,
eh? You do take the cake for exaggeration...
>troll like you, especially one that doesn't understand the definition of
>a firewall and what does/doesn't make a firewall a firewall.
Hmmm... aren't you the guy who can't figure out what the
definition of a firewall actually is, and thinks that if some
subscription company doesn't get paid to "certify" something,
that it isn't a firewall at all.
That is, BTW, an abjectly ignorant statement.
>What makes you think that the third-party firmware is the FULL and
>PROPERLY CONFIGURED Sun/Solaris packaged solution?
What makes you think that *any* firewall software is "PROPERLY"
configured just because ICSA certified that they were able to
test it?
>Get real, you've proven how little you know about software development
>and nix.
You've proven that you know virtually *nothing* about software
configuration or systems administration.
>In article <aohef1hkfep7ilock...@4ax.com>, m...@privacy.org
>says...
>> >And you keep stating that an unproven solution with no reviews by a
>> >reputable firewall certification/testing company/organization
>>
>> You've been told more than once already that Sun ship and support IPFilter
>> as standard with Solaris.
>>
>> You could try claiming that Sun and Solaris are somehow 'unproven'......
>
>And your "assumption" that because Sun and Solaris ship a version of it
>on some systems,
Make that *ALL* Sun systems. You've been told more than once already that
Sun ships IPFilter *on* Solaris as *standard*.
> that somehow that makes the unproven solution that may
>be based on that particular implementation, somehow, some way, the same?
I am not the one claiming that IPFilter is somehow 'unproven' purely on the
basis of a lack of a shilled review by ICSA labs.
>Nope, the two have nothing to do with each other.
Only to those who are clutching at straws.
Do you accept that IPFilter on Solaris is a perfectly valid firewall
solution, yes or no.
Do you accept that netfilter firewalling solutions have been 'passed' by
ICSA, yes or no.
Do you accept that OpenBSD is the most secure general purpose *nix like OS
available today, yes or no.
>What makes you think that the third-party firmware is the FULL and
>PROPERLY CONFIGURED Sun/Solaris packaged solution?
Because over the past decade, I have built, installed and managed IPFilter
on at least 4 different Unix platforms (including solaris) at the last
count.
One's bona fides are part of the google record. I don't need to repeat them
here.
>Get real, you've proven how little you know about software development
>and nix.
ROTFL! This coming from someone who doesn't know that Solaris is the name
of the Unix like operating system shipped by Sun Microsystems.
Another 'intellectual' with a yawning chasm between it's capability and
self perception.
greg
>> >> You could try claiming that Sun and Solaris are somehow 'unproven'......
>> >
>> >And your "assumption" that because Sun and Solaris ship a version of it
>> >on some systems,
>>
>> Make that *ALL* Sun systems. You've been told more than once already that
>> Sun ships IPFilter *on* Solaris as *standard*.
>
>And that it ships doesn't mean a hill of beans - it's on how it's setup
>and configured that makes it a firewall or not.
Our resident 'expert' finally gets a modicum of clue.
[the usual circular drivel binned unread]
It makes no difference how many of these stupid things you say,
you can't make them come true.
What "derivative work" are you talking about?
>Just because
>a project uses parts of something does not mean it's as good or has the
>same working features as the original. I can see that you've never coded
>anything in your life if you don't understand that concept.
Try opening your eyes, it really is better than a limited
imagination.
Which applies just as equally to your silly insistance that ICSA
certification is a holy grail.
>> > that somehow that makes the unproven solution that may
>> >be based on that particular implementation, somehow, some way, the same?
>>
>> I am not the one claiming that IPFilter is somehow 'unproven' purely on the
>> basis of a lack of a shilled review by ICSA labs.
>
>You are the one claiming that because a product has a hacked version of
>something installed, something that "can" be setup as a firewall, that
>all products using derivatives of it must also be firewalls of the same
>quality.
Where do you get the idea that if the ICSA hasn't been paid that
a product is a "hacked version"? Or that it isn't if the fee has
been paid?
>> Do you accept that IPFilter on Solaris is a perfectly valid firewall
>> solution, yes or no.
>
>I will agree that "it can be" under the right installation and
>configuration methods and practices.
So you *admit* that all of your previous statements were bogus!
>> Do you accept that netfilter firewalling solutions have been 'passed' by
>> ICSA, yes or no.
>
>I've not looked, but in some combinations I accept that as tested and
>certified, if it was, that it passed in that configuration.
>
>> Do you accept that OpenBSD is the most secure general purpose *nix like OS
>> available today, yes or no.
>
>Yes, never denied it or disputed it. Being the most secure general
>purpose OS does not make its inclusion into the 54g package as secure,
>in fact, until the 54g and firmware is tested even you can't tell if
>they left a hole or any other exploit open.
Speaking if ignorance. You don't seem to know this topic well enough
to discuss the details without huge confusion. You are merely blathering
again, and it isn't making sense at all.
(Hint: Linksys doesn't use OpenBSD in any product.)
>I agree, you are really unable to understand the concepts that are being
>discussed here - you seem to think that one product, used in a specific
>setting, is the same as another product using part of a solution based
>on part of something that has part of the same name.....
Your ignorance is showing, again.
>In article <rcmff19gj8bdsqa9e...@4ax.com>, m...@privacy.org
>says...
>> On Mon, 08 Aug 2005 19:48:48 GMT, Leythos <vo...@nowhere.lan> wrote:
>>
>>
>> >> >> You could try claiming that Sun and Solaris are somehow 'unproven'......
>> >> >
>> >> >And your "assumption" that because Sun and Solaris ship a version of it
>> >> >on some systems,
>> >>
>> >> Make that *ALL* Sun systems. You've been told more than once already that
>> >> Sun ships IPFilter *on* Solaris as *standard*.
>> >
>> >And that it ships doesn't mean a hill of beans - it's on how it's setup
>> >and configured that makes it a firewall or not.
>>
>> Our resident 'expert' finally gets a modicum of clue.
>
>Nicely taken out of context.
It's a statement of fact.
Do you stop being churlish dear boy, it's not the fault of the audience
that you hoisted yourself upon your own petard.
>So, when are you going to post something
>that indicates the 54g and third-party firmware is actually an accepted
>firewall by a reputable authority?
ROTFL! What would you know about it exactly ?
You've previously claimed that it's based on OpenBSD
#quote
> Do you accept that OpenBSD is the most secure general purpose *nix like OS
> available today, yes or no.
Yes, never denied it or disputed it. Being the most secure general
purpose OS does not make its inclusion into the 54g package as secure,
#endquote
Your propensity for repeated public displays of cluelessness is what is
being discussed ATM.
greg
> Do you accept that OpenBSD is the most secure general
> purpose *nix like OS available today, yes or no.
Yes, never denied it or disputed it. Being the most secure
general purpose OS does not make its inclusion into the 54g
package as secure, in fact, until the 54g and firmware is
tested even you can't tell if they left a hole or any other
exploit open.
You say things like that and then have brass to claim somebody
else doesn't understand "enough about OS's and applications to
know that a derivative work is not the same..."?
Am I being too kind by suggesting you are merely ignorant?
>In article <0hkgf1pkq1g9vnhuj...@4ax.com>, m...@privacy.org
>says...
>> On Tue, 09 Aug 2005 00:03:31 GMT, Leythos <vo...@nowhere.lan> wrote:
>>
>> >In article <rcmff19gj8bdsqa9e...@4ax.com>, m...@privacy.org
>> >says...
>> >> On Mon, 08 Aug 2005 19:48:48 GMT, Leythos <vo...@nowhere.lan> wrote:
>> >>
>> >>
>> >> >> >> You could try claiming that Sun and Solaris are somehow 'unproven'......
>> >> >> >
>> >> >> >And your "assumption" that because Sun and Solaris ship a version of it
>> >> >> >on some systems,
>> >> >>
>> >> >> Make that *ALL* Sun systems. You've been told more than once already that
>> >> >> Sun ships IPFilter *on* Solaris as *standard*.
>> >> >
>> >> >And that it ships doesn't mean a hill of beans - it's on how it's setup
>> >> >and configured that makes it a firewall or not.
>> >>
>> >> Our resident 'expert' finally gets a modicum of clue.
>> >
>> >Nicely taken out of context.
>>
>> It's a statement of fact.
>
>Facts taken out of context are what trolls use to divert from a subject
>and to play games
Oh FFS! Do grow up my little projecting cretin.
I quoted exactly where in
http://groups.google.co.uk/group/comp.security.firewalls/msg/166af8172b74dbe5?dmode=source&hl=en
Message-ID: <MPG.1d6181364...@news-server.columbus.rr.com>
*you* asserted that OpenBSD was used in WRT54G
"Being the most secure general purpose OS does not make its inclusion into
the 54g package as secure"
and less than 24 hours later you're attempt to deny making the statement.
Your own words make it more than self evident that you have absolutely no
idea of the subject matter under discussion.
It's not the fault of the audience that your fragile defensive ego will not
permit you to recognise this.
Please continue with the pathetic flailing in some childish attempt to have
the last word.
One wouldn't be surprised if Watchguard doesn't ask you to get a grip and
STFU before embarrassing them further by association.
>> >Facts taken out of context are what trolls use to divert from a subject
>> >and to play games
>>
>> Oh FFS! Do grow up my little projecting cretin.
>>
>> I quoted exactly where in
>>
>> http://groups.google.co.uk/group/comp.security.firewalls/msg/166af8172b74dbe5?dmode=source&hl=en
>>
>> Message-ID: <MPG.1d6181364...@news-server.columbus.rr.com>
>>
>> *you* asserted that OpenBSD was used in WRT54G
>>
>> "Being the most secure general purpose OS does not make its inclusion into
>> the 54g package as secure"
>
>Yep, I said that, never denied saying that. But, if you could read, I
>also didn't say that it IS included.
Unbelievable......
>> Please continue with the pathetic flailing in some childish attempt to have
>> the last word.
>>
>> One wouldn't be surprised if Watchguard doesn't ask you to get a grip and
>> STFU before embarrassing them further by association.
>
>Why do you keep going back to WG, do you have some vendetta against WG?
>Is that what this is really about - you have some hidden agenda to slam
>WatchGuard?
A hysterical attempt at diversion......
I'm sure that just as you can screw up the configuration of
OpenBSD, you can screw up the configuration *every* model that
has been certified by ICSA too.
Your logic leaves a great deal to be desired, and adding in
these silly statements like "What part don't you..." at every
point where you are confused is not helping you to learn.
In addition to being logically challenged, you don't read English
well.
So, then you agree with me - just because someone installs an
ICSA certified model, that it doesn't make it a secure
installation. Which is the entire point of this thread - just
because someone pays for ICSA certification for a device and
calls it a firewall, that is not what makes it a firewall.
>> Your logic leaves a great deal to be desired, and adding in
>> these silly statements like "What part don't you..." at every
>> point where you are confused is not helping you to learn.
>
>Now that we agree that openBSD isn't always secure, that something
>called a firewall without testing/certification may not be a firewall, I
>don't see what your problem is.
Now that we agree that ICSA certified equipment isn't always
secure, that something called a firewall with
testing/certification may not be a firewall, I don't see what
your problem is.
(Actually though, I do see that you can't follow logic, and
don't have enough background to understand a discussion of
firewall technology.)
That is true. Now if you only understood what you are saying!
The "further testing"... can't be done *before* hand, so your
insistence that some similar configuration be certified by ICSA
is simply not valid.
>Where you fail to understand things
>is that Firewall solution that has been passed/tested and documented as
>being secure is far more likely to be a viable security solution than
>something that's not been tested by any reputable agency.
Your understanding of "reputable agency" is simply *wrong*.
IPfitler and IPtables have both passed the test of time and
scrutiny by a much more stringent agency than ICSA (though in
fact, both have obviously been tested and passed by ICSA).
>The entire point is that by using known certified/tested products that
>have documented test methods and result sets, we don't have to put them
>through the same tests on our own in order to determine if they MIGHT be
>securable. Certification means that in a documented test under specific
>conditions, that the device didn't break.
Since you *don't* *duplicate* the same configuration, you don't
know any more about how secure it is than you do about any other
implementation.
>> Which is the entire point of this thread - just
>> because someone pays for ICSA certification for a device and
>> calls it a firewall, that is not what makes it a firewall.
>
>Wrong, if the device is tested and passes, it's a firewall at the point
>it was tested. That doesn't mean you can't misconfigure it, but it does
>mean that it passed specific testing methods and results that are
>documented that you and I can look at to determine, without having to do
>the testing ourselves, that the device meets criteria x,y,z as a
>firewall. Without certification or other reputable testing you don't
>know what criteria the device meets and you don't have any reason to
>expect it to perform as a firewall (or anything else).
Now if only you understood what you are saying. ICSA certifies
an IPtables implementation on one device... and you say the
*device* is therefore a firewall, but IPtables isn't.
Yet your configuration of IPtables is just as untested on that
one device as it is on *any* *other* device using IPtables.
The fact is they *are* all using the same IPtables, and it is
just as likely to "perform as a firewall" on *any* of them.
The same is true of the IPfilter software.
...
>> >Now that we agree that openBSD isn't always secure, that something
>> >called a firewall without testing/certification may not be a firewall, I
>> >don't see what your problem is.
>>
>> Now that we agree that ICSA certified equipment isn't always
>> secure, that something called a firewall with
>> testing/certification may not be a firewall, I don't see what
>> your problem is.
>>
>> (Actually though, I do see that you can't follow logic, and
>> don't have enough background to understand a discussion of
>> firewall technology.)
>
>If you can't understand my reply in this post you can't grasp the
>concepts enough to be worth any more of my time.
Your reply was not logical, and you continue to make invalid
statements.