Why shouldn't I run other applications on a Firewall?

Question

If I want to use Ubuntu 11.04 as a Firewall in SOHO environment, then I just can't figure out what is the bad thing about installing GUI on it (e.g.: XFCE)?

The only opened port to the world (wan port) would be SSH on a non-default port+pubkey auth only+restricted ip subnets where could people log on, etc..

I'm just not getting the true reasons why does it could affect the "security" of a Firewall if I have GUI on it.

p.s.: "GUI" is just needed because I want to use this machine as a "Movie player/connected to a projector" - that's all. - it would be expensive (power consuption) to use the pc as only a firewall, so I'm using it for playing videos too (not using webbrowser on it).

p.s.2: It would NAT the "internet" through an USB wifi dongle (wpa2/aes/64 char random pass.).

UPDATE:
so to clarify:
Why (or HOW Exactly) would an installed XFCE affect the e.g.: SSHD regarding security? (I'm saying that because that's the only server/having open port to the world/wan)

I have edited this to more closely match what you ave explained in your comments, which is that you aren't meaning a GUI for firewall management, but actually a movie player application. If I am wrong, please revert changes. — Rory Alsop, Jun 02 '11 at 23:07
I just don't like this question, so I'm giving it a -1. GUI versus command line is a personal choice every time a user gets in front of a computer or network of computers and manages them. — atdre, Jun 03 '11 at 01:16
As I asked in my answer to your question, where did you see that you shouldn't have a GUI? was this in some kind of tutorial? did someone tell you this? did you see it while installing whatever firewall you're using? No matter the answer, unless the GUI is somehow binding TCP ports or accepting connections, there's no reason not to have a GUI on a firewall. — Ormis, Jun 03 '11 at 13:54
@Ormis as noted by @nealmcb [ServerGUI - Community Ubuntu Documentation](https://help.ubuntu.com/community/ServerGUI) recomends against installing a GUI. [The NSA recommends against installing a X11](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), the basis for GUIs for Linux. [Building Secure Servers with Linux](http://www.amazon.com/Building-Secure-Servers-Linux-Michael/dp/0596002173) recommends against installing X11. [Binbert recommends against installing X11](http://www.binbert.com/blog/2011/01/redhat-linux-hardening/). Almost everyone recommends against installing X11. — this.josh, Jun 04 '11 at 08:00
@this.josh - good links! Put them in your answer or I'll rip them off :) — nealmcb, Jun 05 '11 at 16:20

score 8 · Accepted Answer · edited Mar 17 '17 at 10:46

The codebase required to run a firewall is tiny. E.g. stripped down Linux kernel, busybox, ssh and not much else. I don't have numbers, but I'm guessing it is a tenth the size or less than any GUI movie-playing option you'd be likely to be happy with. You can easily do GUI management of a firewall without putting a GUI on the firewall itself - just run the GUI elsewhere to design the ruleset and upload it to the firewall. Or run a minimal web server and management software and use a browser as the GUI.

The larger codebase presents a larger attack surface. E.g. a nasty attack on any of the packages used in the GUI could be used to get at the whole box. Many of those attacks don't require an open port. They could come via viruses in media files, trojans in any of the packages, etc.

In your case you may just not worry about such attacks, which certainly would be harder than a normal open port attack. But the principle of limiting the attack surface applies for many reasons.

See also

ServerGUI - Community Ubuntu Documentation for more background and details.
Passive and active attacks via X11. Is Wayland any better?
Secure Linux Desktop

score 5 · Answer 2 · answered Jun 02 '11 at 21:56

Well, i will first have to ask this question: Who said that a GUI on a firewall is a bad thing?

Frankly it's absurd, depending on the complexity of the firewall rule-set, to think that there be no GUI for the firewall (though in most cases it would consist of a thick client).

On the other had, for this particular situation, it's less an issue regarding the presence of a GUI, but more of an issue regarding the desired use of the machine. If you are intending for this machine to be a discrete firewall (or a hardware firewall if you want to use that terminology), that's exactly what it should be, discrete. Adding any other function to that machine could present a security risk. If you do in fact run media streaming software on the machine, that means that there are other potential attack vectors against your firewall and the connected private network space.

From my experience, an HTPC will run with negligible power consumption and are usually pretty cheap to build as well. HTPCs are also usually pretty insecure (well, at least everyone that I've ever come across and had the pleasure of testing).

Bottom Line: A GUI is fine on a firewall, what's not fine is running other services on the machine which negate the purpose of a discrete firewall. This being said, if you take all the proper steps in hardening Ubuntu when you create this box and you keep your media services local to that machine, you should be fine to go ahead with your plan.

Another thought: If you have your own router (created yourself, not an appliance), throw your IPTables or UCF firewall onto that machine instead of your HTPC.

One more thought; If you're asking this because you were instructed to use ubuntu server instead of ubuntu desktop for your firewall, that's an entirely different issue. The presence of a Desktop GUI environment isn't the only change between the different ubuntu images. — Ormis, Jun 03 '11 at 13:56

score 4 · Answer 3 · answered Jun 05 '11 at 10:21

While the other answers are good, it sounds like you may be looking for a more philosophical (yet practical) answer. That answer is this:

It is not possible to telnet to a used tire. It is also not possible to install a piece of malicious software on a used tire. As you move from one end of the scale from used tire to fully functional desktop environment your system becomes less secure, i.e. the more libraries, packages, etc. you have installed the more chances you have for malware to install and function.

It's purely a matter of simplicity and reduced attack surface. A used tire is best, but you can't run anything on it, so you're trying to get as close to that as possible.

score 3 · Answer 4 · answered Jun 02 '11 at 21:02

3

Every extra software you install on a system is also increasing the attack surface for an attacker. However if using a GUI for operating the server and managing the firewall provides you, as an administrator, with more and better control I'd say that the GUI is increasing your security. If a command line UI is harder for you to use and configure properly it is working against your security.

answered Jun 02 '11 at 21:02

Chris Dale

16,149
10
57
97

p.s.: "GUI" is just needed because I want to use this machine as a "Movie player/connected to a projector" - that's all. – LanceBaynes Jun 02 '11 at 21:22
I heard about the https://secure.wikimedia.org/wikipedia/en/wiki/KISS_principle but I just don't understand why would an installed XFCE affect the SSHD. – LanceBaynes Jun 02 '11 at 21:24
Tbh I dont see how XFCE affects the SSH daemon either ;) – Chris Dale Jun 02 '11 at 21:32

score 3 · Answer 5 · answered Jun 03 '11 at 00:43

XFCE probably doesn't make your firewall less secure. But using it as a media player could easily make your firewall less secure, because doing so increases the attack surface and the potential for a security compromise of that machine.

Example: Suppose you download a movie from the Internet and play it with your media player. If your media player has an exploitable vulnerability, then your machine is compromised, your security is hosed, and your firewall cannot be trusted.

This is the reason why security folks generally recommend that it's better for security if your firewall is implemented by a single-purpose device that is not used for any other purpose.

this.josh · Answer 6 · 2011-06-06T03:00:30.947

I'm surprised that no one else has mentioned that xfce requires libx11-6 (see http://www.x.org/wiki/Development/Security), libgtk, libglib, libdbus (http://www.securityfocus.com/archive/1/515796), libcairo (http://www.nessus.org/plugins/index.php?view=single&id=21151), libpango (http://www.cvedetails.com/cve/CVE-2011-0020/), and many other libraries.

While these libraries are unlikely to compromise sshd directly, they have the potential to open other attack vectors, especially X11. After all X11 is a network protocol designed to provide remote access to applications.

As noted by nealmcb ServerGUI - Community Ubuntu Documentation recomends against installing a GUI. The NSA recommends against installing a X11, the basis for GUIs for Linux. Building Secure Servers with Linux recommends against installing X11. Binbert recommends against installing X11. Almost everyone recommends against installing X11.

In general the more complex the system the harder it is to test and check for vulnerabilities. That's what people mean when the say 'increased attack surface'. Systems configured as just firewalls with the basics have been well tested, and when vulnerabilities are found there are quickly reported and addressed.

If you do decide to install any X11 based software, make sure it is well isolated from any remote users. Restrict X11 access to the console only.

In terms of cost, it doesn't take much to run a PC as a firewall. Devil Linux is a free live CD-ROM Linux distribution which runs fine on a 486 with 32MB of RAM!

And of course you know that WPA2 is vulnerable to insider attack.

Why shouldn't I run other applications on a Firewall?

6 Answers6

Linked