Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a student trying to do a project in which I compare the inner workings of IPTables and Cisco PIX. I have access to a couple of PIXs and can run IPTables on a linux box. My problem, however, is that I can't come up with a physical topology to compare the two. Also that I can't seem to find previous work done on this topic and am running out of time fast.
I would appreciate any and all help that I can get including white papers, independant work or advice on how to go about it. I have a week to come up with something substantial in depth.
Well, if it's all about inner works, what you should check is performance under the same load with the same configuration (or nearly the same). You don't need a topology, IMHO. You can just test with a number of scans running from a different machine, for example.
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98
Rep:
I think what he's looking for is more details on how each firewall events things. Such as how the state tables are created, whether or not netfilter uses embrionic connections like the Pix, the fact that netfilter currently does not support stateful failover (can't share conntrack data) while the Pix can, protocol fixups, ez-vpn, nat-transversal, etc.
But I could be wrong since attempting this depth of analysis in 1 week is.. well.. less than proactive. Perhaps it's just a light overview.
I certainly hope the professor this report is going to is not very demanding.
bignerd you got it right. I'm not familiar with either of the two firewalls but what you suggested is exactly what I would like to do. Since time is limited an overview would be good alternative.
So can you suggest how I go about it? Where can I attain such information?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Are you comparing features, or traffic processing flow? In iptables of course, the traffic goes through a set number of "tables", plus whatever the user defines. In PIX it's different, basically examining directional traffic on each interface, and also (optionally), AAA information, and NAT.
I am comparing features as well as the differences & similarites of the two firewalls. I would like to get into packet level depth and use a sniffing application such as ethereal to realize the inner workings. Now I am by no means a programmer, nor do I have the source code for PIX. So you see my dilemma.
I guess my main question would be how to go about analyzing either one of them in detail. I have access to PIX, and also cisco routers and switches.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You can't really tell how a firewall operates by using a packet sniffer, at least, not by way of a comparison. Packet sniffers only see what's "on the wire", but all the interesting thing a firewall does happen in kernel space.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Hahaha, you can't be serious! PixOS is closed source and the only userland utilities are built-in commands. You can't install debuggers or arbitrary programs on a PIX device. You're not going to be able to observe what it's doing. The best you can do is find documentation on Cisco Secure PIX and if you're really lucky, you might run into an architecture description, although I doubt such a thing has been released to the public.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.