Professional Web Applications Themes

Linux firewall vs Windows and Hardware based firewalls - Debian

Hello all, I have to put forward an argument to management regarding setting up a firewall on some of our clients networks. What are the advantages of a linux firewall over something like Windows with WinRoute on it, or even a hardware based firewall. What are the disadvantages etc. I know I am asking on a linux users mailing list, but I would also like reply's not to be too bias. Thanks Andre -- To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email] with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]...

  1. #1

    Default Linux firewall vs Windows and Hardware based firewalls

    Hello all,

    I have to put forward an argument to management regarding setting up a
    firewall on some of our clients networks.

    What are the advantages of a linux firewall over something like Windows
    with WinRoute on it, or even a hardware based firewall. What are the
    disadvantages etc. I know I am asking on a linux users mailing list, but
    I would also like reply's not to be too bias.

    Thanks
    Andre


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Andre Volmensky Guest

  2. #2

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 2003-07-31 at 01:11, Andre Volmensky wrote:
    > Hello all,
    >
    > I have to put forward an argument to management regarding setting up a
    > firewall on some of our clients networks.
    >
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    Vs. Windows:
    - stability: you can make a Win2k box as stable as a "Unix" box
    only by adding lots more RAM.
    - resource usage (a *minimal*, headless "dumpster special" (i.e. free
    as in beer] PC does great as a Linux/{Open|Free}BSD firewall).
    32MB RAM, 1GB HDD and a Pentium 133 are more than adequate for
    10Mbs (1.25MBps) Ethernet, and a T1 is much slower than that.

    Vs. H/w:
    - Flexibility: a h/w firewall/router lets you do *only* what is flashed
    onto the FlashRAM, nothing more. A good general purpose OS (again,
    Linux/{Open|Free}BSD) lets you do more, like traffic ysis/shaping,
    intrusion detection, etc, etc.
    - Upgradeability: every time a new kernel or version of userland apps
    come out, you can get bug fixes and new features.
    - Security: you have the source, so "you" can verify correctness.
    - Security: if the manufacturer of the h/w firewall goes out of
    business or stops supporting that model, you must buy a new model,
    or face the possibility of unpatched bugs.

    --
    +-----------------------------------------------------------------+
    | Ron Johnson, Jr. Home: [email]ron.l.johnsoncox.net[/email] |
    | Jefferson, LA USA |
    | |
    | "I'm not a vegetarian because I love animals, I'm a vegetarian |
    | because I hate vegetables!" |
    | unknown |
    +-----------------------------------------------------------------+



    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Ron Johnson Guest

  3. #3

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 31 Jul 2003 16:11:14 +1000
    "Andre Volmensky" <AndreVdatcom.com.au> wrote:
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    To me the advantage over Windows is plain. With Linux you can pare it
    down to the bare minimums and run *just* a router. No need to fire up a huge
    GUI to do the work. Furthermore there's no need to load in a slew of support
    modules into the kernel that will most likely never be needed. Pare down
    those gettys and rip out other components which aren't needed. What you're
    left with is a router that can run in an amazingly small footprint both on
    disc and in memory. While I would not advocate it when was the last time you
    saw a Windows router on a floppy? :)

    Against hardware based routers it is a little different. There you're
    going against specialized hardware. However, for me, I don't like the notion
    of having to telnet anywhere. Last time I checked, admittedly not recently,
    no hardware router supported sshd. Also you can scale up from a bare-bones
    router to make some things easier for neophytes.

    As an example of both these points let me describe my parent's router.
    They wanted DSL but wanted to have both their personal machines behind it. I
    told'em no problem, just grab an old PC (they have tons, my dad's a PC
    packrat), and old HD, toss in a pair of NICs and I'll take care of the rest.
    I showed up with the Woody bootable CD and in about 20-30 minutes had a router
    setup for them based on Stable. Beyond base I think the only things I
    installed was shorewall and sshd. Shorewall is a great firewall package
    that's easy to setup, get going and lock down. I've since added webmin with
    the shorewall package. This gives a basic web interface to configure the
    firewall. So now when things are going wonky I don't have to try to talk my
    dad through editing a config fire. "Click here, add this, move the rule up
    here, you're done." I started out basic and added a piece here and a piece
    there to fit the needs of my parents.

    --
    Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
    PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
    | -- Lenny Nero - Strange Days
    -------------------------------+---------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE/KNoBel/srYtumcURAnQXAJ9de5l6+CnyXEU9ffvW+r3SCrpiXQCg+dYG
    5SED5eOZndcr4aZHE/Sv0CI=
    =psGo
    -----END PGP SIGNATURE-----

    Steve Lamb Guest

  4. #4

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, Jul 31, 2003 at 04:11:14PM +1000, Andre Volmensky wrote:
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall.
    If by "hardware based firewall" you mean "a real (read: cisco Systems)
    router," that is probably your best option (you said "clients", so I
    assumed enterprise). Linux will give you better access control
    potential, the Cisco router.

    A windows box as a firewall? I just spent the last five minutes
    cleaning up my desk after I sprayed coffee out my nose...seriously,
    you might as well pull your pants down and bend over for the crackers
    at that point, and forget flexability or reliability. (Yes, I have
    had the misfortune of maintaining Windows ICS and a Winroute box that
    some moron put into production and manglement wouldn't let me replace
    at first. I really have to wonder how much crack one has to smoke to
    make this sound like a good idea...)

    - --
    .''`. Paul Johnson <balooursine.ca>
    : :' : proud Debian admin and user
    `. `'`
    `- Debian - when you have better things to do than fix a system
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE/KOXhJ5vLSqVpK2kRAr94AKCXcJ7JovGIKMRHqB/2By0nUD5VLwCgwtRB
    75DRYL/s5VZ6bLFQEIg/s+Q=
    =RVpS
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Paul Johnson Guest

  5. #5

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, Jul 31, 2003 at 01:57:00AM -0500, Ron Johnson wrote:
    > Vs. Windows:
    > - stability: you can make a Win2k box as stable as a "Unix" box
    > only by adding lots more RAM.
    And even then, no gaurantees that the box will be reliable for very
    long if it has any users at the console or any activity from the
    network.

    - --
    .''`. Paul Johnson <balooursine.ca>
    : :' : proud Debian admin and user
    `. `'`
    `- Debian - when you have better things to do than fix a system
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (GNU/Linux)

    iD8DBQE/KOY8J5vLSqVpK2kRAg4nAJ9zn/JGeLuBSBzUDMts6B7WoITFDgCg5XsY
    5gQZVW3vrfdkNQVP0eR6R9s=
    =AKZw
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Paul Johnson Guest

  6. #6

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thursday 31 July 2003 08:11, Andre Volmensky wrote:
    > What are the advantages of a linux firewall over something like
    > Windows with WinRoute on it, or even a hardware based firewall. What
    > are the disadvantages etc. I know I am asking on a linux users
    > mailing list, but I would also like reply's not to be too bias.
    I have no experience with neither Windows routers or hardware routers,
    but I have a great router running Linux from a floppy.

    It's an old box I was given, and it has a 133 MHz Pentium CPU. That's
    certainly overkill for my purpose, but that is what I got.... It would
    probably be appropriate for your purpose. I ripped the harddrive out,
    it boots from a floppy.

    The floppy is from the Coyote Linux project: [url]http://www.coyotelinux.com/[/url]
    but you could try floppyfw too [url]http://www.zelow.no/floppyfw/[/url]
    I couldn't get it to work with my DSL provider, which is strange since
    I'm using the same provider as the author.

    Anyway, I figured it will be so extremely seldom I have to change
    anything in there, I disabled any access method beyond going to the box
    and pop the floppy out. No telnetd, no sshd. I figured, if there is
    some vulnerability in the firewall code, it is not even going to be a
    daemon listening on the inside, ready to give the attacker a shell.
    Also, the RAMDisk isn't big, and when there is no harddrive, even if the
    attacker gets into the firewall box, it's a complete wasteland when it
    comes to tools.

    Now, do _that_ on windows! :-)

    Cheers,

    Kjetil
    --
    Kjetil Kjernsmo
    Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
    [email]kjetilkjernsmo.net[/email] [email]webmasterskepsis.no[/email] [email]editorlearn-orienteering.org[/email]
    Homepage: [url]http://www.kjetil.kjernsmo.net/[/url] OpenPGP KeyID: 6A6A0BBC


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Kjetil Kjernsmo Guest

  7. #7

    Default Re: Linux firewall vs Windows and Hardware based firewalls



    On Thu, 31 Jul 2003, Kjetil Kjernsmo wrote:
    >
    > The floppy is from the Coyote Linux project: [url]http://www.coyotelinux.com/[/url]
    > but you could try floppyfw too [url]http://www.zelow.no/floppyfw/[/url]
    > I couldn't get it to work with my DSL provider, which is strange since
    > I'm using the same provider as the author.
    rest of the distro for fw ( fd, cd, /dev/ram, etc )

    [url]http://www.Linux-Sec.net/Firewalls[/url]

    c ya
    alvin


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Alvin Oga Guest

  8. #8

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, Jul 31, 2003 at 08:50:21PM +0800, Robert Storey wrote:
    > Everything I've ever read indicates that a hardware-based firewall is
    > more secure and reliable than an PC operating system, be it Linux or
    > Windows. A PC OS has to be complex because it has so many functions to
    > perform, but that adds potential security holes and one can never close
    > them all. Furthermore, Intel-based PCs have some well-known exploits
    > (such as buffer overflows) which are a function of the hardware and
    > there is no real cure because changing the CPU instructions would break
    > backward compatibility. By contrast, a router operating system is very
    > simple and designed to do only one thing, and the hardware (which has no
    > moving parts) is more reliable and uses far less electricity than a PC.
    >
    > A Linux-based firewall is probably good enough for the average home
    > hobbyist, but in a professional environment it doesn't pay to "save
    > money" by recycling an old PC with Linux installed in place of a router.
    >
    > regards,
    > Robert
    Hmm... I'm not an expert and this is my understanding of software and
    hardware firewalls.

    A hardware firewall would probably be more reliable - the security part
    is debatable. A firewall is a firewall - it's security comes from its
    configuration. An cutdown firewall/router machine with minimal services
    can be just as secure as hardware firewall.

    The advantage of hardware firewall - most likely speed -
    specialised hardware to deal with packet processing and the like.

    This won't be an issue if you're a home user with a few machines but
    for corporate use, with lots of machines and traffic, you want things
    to be speedy and more efficient.

    --


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Rex Chan Guest

  9. #9

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
    > On Thu, 31 Jul 2003 16:11:14 +1000
    > "Andre Volmensky" <AndreVdatcom.com.au> wrote:
    >
    > > Hello all,
    > >
    > > I have to put forward an argument to management regarding setting up a
    > > firewall on some of our clients networks.
    > >
    > > What are the advantages of a linux firewall over something like
    > > Windows with WinRoute on it, or even a hardware based firewall. What
    > > are the disadvantages etc. I know I am asking on a linux users mailing
    > > list, but I would also like reply's not to be too bias.
    >
    > Everything I've ever read indicates that a hardware-based firewall is
    > more secure and reliable than an PC operating system, be it Linux or
    > Windows. A PC OS has to be complex because it has so many functions to
    > perform, but that adds potential security holes and one can never close
    > them all.
    *Totally* disagree.

    "Hardware" routers/firewalls are *only* and *just* computers with
    programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.

    And they do have OSs. Here, for example. is what my cable modem runs:
    Software Version: SB3100-3.2.12-SCM06-NOSHELL
    Hardware Version: 2
    MIB Version: II
    GUI Version: 1.0
    VxWorks Version: 5.3

    Linux and BSD can be made *very* small. Every heard of floppy
    firewalls?
    > Furthermore, Intel-based PCs have some well-known exploits
    > (such as buffer overflows) which are a function of the hardware and
    > there is no real cure because changing the CPU instructions would break
    > backward compatibility.
    Bzzz. Where did you hear that?

    Buffer-overflows are mainly a symptom of the "C" disease, and
    happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.

    Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
    doesn't use the memory protection that the CPU provides are crud,
    but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
    suffer that problem.
    > By contrast, a router operating system is very
    > simple and designed to do only one thing, and the hardware (which has no
    > moving parts) is more reliable and uses far less electricity than a PC.
    You've never seen all the exploits in Cisco's OS, have you?
    > A Linux-based firewall is probably good enough for the average home
    > hobbyist, but in a professional environment it doesn't pay to "save
    > money" by recycling an old PC with Linux installed in place of a router.
    Again, disagree.

    H/W routers definitely have their place, but any business could
    be well served by replacing all firewalls and small/mid-sized
    routers with boxen powered by pared-down {Linux|FreeBSD}.

    --
    +-----------------------------------------------------------------+
    | Ron Johnson, Jr. Home: [email]ron.l.johnsoncox.net[/email] |
    | Jefferson, LA USA |
    | |
    | "I'm not a vegetarian because I love animals, I'm a vegetarian |
    | because I hate vegetables!" |
    | unknown |
    +-----------------------------------------------------------------+



    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Ron Johnson Guest

  10. #10

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 2003-07-31 at 08:30, Rex Chan wrote:
    > On Thu, Jul 31, 2003 at 08:50:21PM +0800, Robert Storey wrote:
    [snip]
    > The advantage of hardware firewall - most likely speed -
    > specialised hardware to deal with packet processing and the like.
    So if a P2-233 w/ 32MB RAM doesn't handle it, try something faster.

    If a GHz CPU w/ 256B RAM (dirt cheap!!) can't handle a T3 (45Mbps,
    5.6MBps), something is wrong.

    --
    +-----------------------------------------------------------------+
    | Ron Johnson, Jr. Home: [email]ron.l.johnsoncox.net[/email] |
    | Jefferson, LA USA |
    | |
    | "I'm not a vegetarian because I love animals, I'm a vegetarian |
    | because I hate vegetables!" |
    | unknown |
    +-----------------------------------------------------------------+



    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Ron Johnson Guest

  11. #11

    Default RE: Linux firewall vs Windows and Hardware based firewalls

    My ideal solution is to use a Firewall/VPN Appliance (Cisco and Symantec
    both have good offerings) for perimeter protection.

    But, use a desktop
    firewall/IDS/IPS/whatever-they-decide-to-call-them-next system for your
    end-users, as well.
    Windows XP has this built-in (I think they are licensing ZoneLabs
    technology). Linux has it freely available.
    Otherwise, you can use ZoneAlarm, Kerio Personal Firewall, or whatever
    for additional protection.

    Trying to run an Enterprise Firewall off of a software-based
    distribution just doesn't seem very smart.
    But if I had to consider a software-based firewall, I would definitely
    go with Linux.
    Why? Because you can strip out every single piece of code that you
    don't need. You can even download bootable CDs that can run with no
    h.d.d that have already done a reasonable job of this.
    Windows-based firewalls might be "pretty" and might be effective. But
    you still have Windows sitting underneath it.

    -----Original Message-----
    From: Andre Volmensky [mailto:AndreVdatcom.com.au]
    Sent: Thursday, July 31, 2003 1:12 AM
    To: [email]debian-userlists.debian.org[/email]
    Subject: Linux firewall vs Windows and Hardware based firewalls


    Hello all,

    I have to put forward an argument to management regarding setting up a
    firewall on some of our clients networks.

    What are the advantages of a linux firewall over something like Windows
    with WinRoute on it, or even a hardware based firewall. What are the
    disadvantages etc. I know I am asking on a linux users mailing list, but
    I would also like reply's not to be too bias.

    Thanks
    Andre


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact
    [email]listmasterlists.debian.org[/email]


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    DePriest, Jason R. Guest

  12. #12

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    Andre Volmensky said on Thu, Jul 31, 2003 at 04:11:14PM +1000:
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    I would say that the largest advantage of the hardware firewalls is stability:
    you don't have to worry about disk failure. Now, you can build a Linux
    firewall that loads off of a flash, but why bother when companies have doneit
    for you (ImageStream's Rebel routers are an example of this, which I've
    personally used and am reasonably happy with).

    The largest disadvantage is lack of flexibility: if you want to do something
    that your hardware doesn't support, you're hosed. But, for firewalls, you
    generally don't want to do too much, so this isn't as much of a problem.

    For any small (read: DS3 or less), a PC based firewall will perform just as
    well as a hardware firewall. On the other hand, do you _want_ to be paged at
    4am because your PC based firewall ate a disk?

    And for those who still think that hardware == telnet only, that's justnot
    true anymore. All of the newer kit worth owning supports ssh (some even
    support ssh v2) out of the box.

    M

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.2 (FreeBSD)

    iD8DBQE/KUPiOtZWu2tc1lARApzPAJ9PyMgjbSAZQX0dpXI16SO6mDY2kg CeI3wz
    sVO8GX2qjpz68nP9XYAVq30=
    =KWPb
    -----END PGP SIGNATURE-----

    Mark Ferlatte Guest

  13. #13

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 31 Jul 2003, Ron Johnson wrote:
    >
    > > Furthermore, Intel-based PCs have some well-known exploits
    > > (such as buffer overflows) which are a function of the hardware and
    > > there is no real cure because changing the CPU instructions would break
    > > backward compatibility.
    >
    > Bzzz. Where did you hear that?
    >
    > Buffer-overflows are mainly a symptom of the "C" disease, and
    > happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
    >
    > Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
    > doesn't use the memory protection that the CPU provides are crud,
    > but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
    > suffer that problem.
    I believe that some computer architectures can divide memory into
    'executable' and 'non-executable', thus limiting the damage a
    buffer overflow can cause. I've never heard of this in a hardware
    firewall though.

    Speaking of which, hardware firewalls and routers do have security
    problems, as a quick google search can show.

    My personal feelings on the matter is that a hardware firewall tends to
    be more compact, more efficient, and faster for some purposes. The
    expensive routers can do complex packet filtering in custom hardware
    which would be too slow to do in software.

    The cheap "firewalls" and "routers" that are used for broadband
    connections tend to be set up very insecurely - allowing almost anything
    out. Plus, with uPnP support, a uPnP operating system (such as Windows
    XP) is allowed to open and forward ports on the firewall without any
    user notification or intervention.

    Because of such concerns, for small networks, I would recommend a
    low-end x86 machine with a stripped down install of linux - basically,
    iptables and ssh. For complicated routing, you'll need to bite the
    bullet and buy a high-end router, which can easily end up costing tens
    of thousands of dollars. (But if you are asking what you need in this
    mailing list, odds are you don't need a complicated router.)

    The main security risk with a firewall is not the hardware or software,
    but with the administrator - firewalls take time and knowledge to set up
    and maintain. Also, security is more then just a firewall.

    ~ Jesse Meyer

    --
    icq: 34583382 / msn: [email]dasunthotmail.com[/email] / yim: tsunad

    "We are what we pretend to be, so we must be careful about what we
    pretend to be." - Kurt Vonnegut Jr : Mother Night

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)

    iD8DBQE/KV4hiWRyGryG0v8RAgiEAKCxgZqVaCszchwdH7FHK17iRB+DYw Cfb6Th
    vexrMNFaVa1n9WJVt7Dsw4k=
    =TRAA
    -----END PGP SIGNATURE-----

    Jesse Meyer Guest

  14. #14

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    Ron Johnson wrote:
    > On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
    >> On Thu, 31 Jul 2003 16:11:14 +1000
    >> Furthermore, Intel-based PCs have some well-known exploits
    >> (such as buffer overflows) which are a function of the hardware and
    >> there is no real cure because changing the CPU instructions would break
    >> backward compatibility.
    >
    > Bzzz. Where did you hear that?
    >
    > Buffer-overflows are mainly a symptom of the "C" disease, and
    > happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
    Well, ever opened a Cisco PIX firewall? Guess what, it's running on an
    Intel P233-MMX...
    The remaining parts look like ordenary PC hardware, too.

    So much for the hardware aspect...

    Cheers,
    Juri


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Juri Haberland Guest

  15. #15

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    "Andre Volmensky" <AndreVdatcom.com.au> writes:
    > I have to put forward an argument to management regarding setting up a
    > firewall on some of our clients networks.
    >
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    Just to add to what others have said, I run an software firewall
    (OpenBSD 3.2 soon to be 3.3) and one of the things I like about it is
    being able to log intrusion attempts and contribute those to
    DShield.org ([url]http://www.dshield.org[/url]). Gives me a sense that I'm
    contributing to the overall security of the "net". Probably a false,
    since a lot of the fightback reports just get ignored by ISPs, but
    nonetheless...

    Now I believe some hardware firewalls allow you to capture logs via
    something like a remote syslog capability, but then you'd have to have
    a server to process them anyway. With my OS/software-based firewall I
    can have it do everything necessary to send the logs off to DShield.

    Gary


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Gary Hennigan Guest

  16. #16

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    > "Andre Volmensky" <AndreVdatcom.com.au> writes:
    > > I have to put forward an argument to management regarding setting up a
    > > firewall on some of our clients networks.
    > >
    > > What are the advantages of a linux firewall over something like Windows
    > > with WinRoute on it, or even a hardware based firewall. What are the
    > > disadvantages etc. I know I am asking on a linux users mailing list, but
    > > I would also like reply's not to be too bias.
    In addition to the software-based firewall/router solutions already mentioned,
    have a look at IPCop ([url]http://www.ipcop.org[/url]) and SmoothWall
    ([url]http://www.smoothwall.org[/url]). Both are small Linux distros designed to be run on
    throwaway PCs.

    I'm currently running IPcop on an AMD K6-200 with 64m ram and a 1.2g HDD. What I
    like about it over the hardware based boxes is the flexibility to add things
    like content filtering, the web proxy, traffic graphs, intrusion detection,
    logging, and the ability to effectively run a DMZ on a different NIC, and it's
    ease of use and configuration.

    HTH

    --
    Steve



    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    slowe@frii.com Guest

  17. #17

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    On Thu, 2003-07-31 at 17:06, Ron Johnson wrote:
    > On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
    > > On Thu, 31 Jul 2003 16:11:14 +1000
    > > "Andre Volmensky" <AndreVdatcom.com.au> wrote:
    > >
    > > > Hello all,
    > > >
    > > > I have to put forward an argument to management regarding setting up a
    > > > firewall on some of our clients networks.
    > > >
    > > > What are the advantages of a linux firewall over something like
    > > > Windows with WinRoute on it, or even a hardware based firewall. What
    > > > are the disadvantages etc. I know I am asking on a linux users mailing
    > > > list, but I would also like reply's not to be too bias.
    > >
    > > Everything I've ever read indicates that a hardware-based firewall is
    > > more secure and reliable than an PC operating system, be it Linux or
    > > Windows. A PC OS has to be complex because it has so many functions to
    > > perform, but that adds potential security holes and one can never close
    > > them all.
    >
    > *Totally* disagree.
    >
    > "Hardware" routers/firewalls are *only* and *just* computers with
    > programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.
    >
    > And they do have OSs. Here, for example. is what my cable modem runs:
    > Software Version: SB3100-3.2.12-SCM06-NOSHELL
    > Hardware Version: 2
    > MIB Version: II
    > GUI Version: 1.0
    > VxWorks Version: 5.3
    >
    > Linux and BSD can be made *very* small. Every heard of floppy
    > firewalls?
    >
    > > Furthermore, Intel-based PCs have some well-known exploits
    > > (such as buffer overflows) which are a function of the hardware and
    > > there is no real cure because changing the CPU instructions would break
    > > backward compatibility.
    >
    > Bzzz. Where did you hear that?
    >
    > Buffer-overflows are mainly a symptom of the "C" disease, and
    > happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
    >
    > Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
    > doesn't use the memory protection that the CPU provides are crud,
    > but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
    > suffer that problem.
    >
    > > By contrast, a router operating system is very
    > > simple and designed to do only one thing, and the hardware (which has no
    > > moving parts) is more reliable and uses far less electricity than a PC.
    >
    > You've never seen all the exploits in Cisco's OS, have you?
    >
    > > A Linux-based firewall is probably good enough for the average home
    > > hobbyist, but in a professional environment it doesn't pay to "save
    > > money" by recycling an old PC with Linux installed in place of a router.
    >
    > Again, disagree.
    >
    > H/W routers definitely have their place, but any business could
    > be well served by replacing all firewalls and small/mid-sized
    > routers with boxen powered by pared-down {Linux|FreeBSD}.
    >
    > --
    > +-----------------------------------------------------------------+
    > | Ron Johnson, Jr. Home: [email]ron.l.johnsoncox.net[/email] |
    > | Jefferson, LA USA |
    > | |
    > | "I'm not a vegetarian because I love animals, I'm a vegetarian |
    > | because I hate vegetables!" |
    > | unknown |
    > +-----------------------------------------------------------------+
    >
    >
    As said before, hardware routers are just computers with a flash disk
    and run an OS. They have their own exploits.
    Their main advantage over a linux box (have seen hardware firewalls
    running linux BTW) is that they have been configured by someone who
    knows exactly how they are designed, and they have usually been highly
    optimised and tested under loads (hopefully). They are also usually
    quite minimal in respect of utilities.
    Their main advantage is if you don't have a dedicated webmin who knows
    how to set up a firewall properly and this way there will be less chance
    of misconfiguration, since setting up a linux firewall can be somewhat
    daunting and error prone, and from experience setting up a windows
    firewall is much worse despite of trying to show a friendlier interface
    (which ends up with something on which you can never find the settings
    you want).
    Don't know all those fw on floppy things never worked with them so don't
    know how hard they are to properly configure.


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Micha Feigin Guest

  18. #18

    Default Re: Linux firewall vs Windows and Hardware based firewalls



    On 31 Jul 2003, Ron Johnson wrote:

    ...
    > My neighbor is a network administrator for a *large* Windows site
    > (10,000+ PCs), and he told me that the mail and firewall servers
    > had bad stability problems until he stuffed them full of RAM.
    my interpretation would be...

    it says that windoze has a virtual memory management problem
    if adding more real memory makes it more stable
    - one doesnt always have the luxury of adding or max'ing
    out the memory slots and capacity of the servers ...

    c ya
    alvin


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Alvin Oga Guest

  19. #19

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    Andre Volmensky wrote:
    > Hello all,
    >
    > I have to put forward an argument to management regarding setting up a
    > firewall on some of our clients networks.
    >
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    >
    > Thanks
    > Andre
    >
    >
    You already have many answers, but I'll share my experience with the Linux
    firewall and the Hardware firewall.

    I haven't any experience with Windows based firewal products. But I believe
    that you must have a security perimeter that is physically seperate from your
    workstations and servers. You will find this is standard fare on higher
    security configurations.

    I have tried several of the NetGear firewalls. They are all excellent
    products and have a reasonable cost to them. I think I paid between $100
    and $200 US for each of them. They all supported DHCP but they had shortcomings.

    The first was limited to only ipchains (not as secure) and had nothing to
    support DNS caching (network load savings) or VPN.

    The second supported DNS caching and VPN and was more secure through it's use
    of iptables. However it had shortcomings also:
    Known security problems with the software being used were not patched for
    months. There is only one subnet supported and if you want to host
    webservices (email, webpages) this is not a solution.

    In order to get web services, I would have to pick up hardware that had a
    dedicated port for a DMZ. I found this to run about $1,000 US.

    I use a product that I picked up for free called smoothwall (smoothwall.org)
    there is also ipcop.org.

    These take an existing computer (Pentium 200 with 64MB RAM and 1GB hard
    drive, some would argue it's hardly worth pulling from the dumpster). I put
    in a CD and it installs itself in a few minutes and provides a firewall that
    supports a LAN or a DMZ + LAN and also provides:
    VPN support
    DNS caching
    DHCP ( I needed to modify it to support TFTD installs and could do this )
    Squid caching (also configurable)
    Snort (Intrusion Detection)
    DMZ port forwarding
    PPPoE, USB modems, dial-up modems.... lots of devices all at once. More than
    any firewall appliance handles.

    and a number of other features I haven't even looked into much but check out
    the websites.


    And here's the part I really like.
    I used an old "scrapper" of a PC to do it.
    And if/when it dies, I just grab another scrapper and load up the firewall
    and am back online in about 10-30 minutes depending upon the configuration I
    have.
    You can't get to the store and buy a new one, or reinstall Windows that quickly.
    You probably can purchase a used PC for less than the software you propose
    for Windows. But you might also have some old spares around.

    Now for a business, you might have an interest in VPN support. Under a lot
    of a Hardware firewalls, they sell per user VPN licenses which can add up to
    a lot of $$ in a hurry. These products provide VPN based on free software
    options (IPSec)

    smoothwall.org and ipcop.org don't provide solutions that are as physically
    small or even as pretty (Netgear has a nice blue case), but it's a great
    option to consider because it's physically seperated hardware, cost
    effective, configurable, easy to replace (any PC will do) and entirely
    transparent to the end user configuration.

    Hope this helps.
    --
    "If you are afraid of loneliness, don't marry."
    -- Chekhov


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Tom Allison Guest

  20. #20

    Default Re: Linux firewall vs Windows and Hardware based firewalls

    Robert Storey wrote:
    > A Linux-based firewall is probably good enough for the average home
    > hobbyist, but in a professional environment it doesn't pay to "save
    > money" by recycling an old PC with Linux installed in place of a router.
    >
    > regards,
    > Robert
    >
    That's a silly thing to say when you consider that many hardware based
    firewalls out there are ARM processors running customized Linux OSes (or some
    BSD OS) on them.

    I'm not certain what you mean by "professional environment". I tend to read
    that as an implication that these recycled old PC's with Linux is delegated
    to wanna-be's and basement hackers.

    If you consider that something like smoothwall is a free open source product
    intended for use by "recycling old PC's with Linux" and is also used as a
    hardware based firewall appliance sold by the parent company smoothwall.com
    then your statement gets even sillier.

    Most, NOT all, companies would be able to use this method of "recycling old
    PC's with Linux installed" and they would save themselves a ton of money and
    no one would be able to tell the difference.

    Considering that these products do more than just a router, they might be
    able to tell the difference, but not in a bad way.

    --
    Do you guys know we just passed thru a BLACK HOLE in space?


    --
    To UNSUBSCRIBE, email to [email]debian-user-requestlists.debian.org[/email]
    with a subject of "unsubscribe". Trouble? Contact [email]listmasterlists.debian.org[/email]
    Tom Allison Guest

Page 1 of 2 12 LastLast

Similar Threads

  1. Windows firewall problem
    By GJA in forum Macromedia Contribute Connection Administrtion
    Replies: 5
    Last Post: August 22nd, 03:58 AM
  2. Device-based or User-based Windows CALs?
    By myMacromediaScreenName in forum Macromedia Flash Flashcom
    Replies: 0
    Last Post: August 19th, 04:10 PM
  3. Windows XP Firewall
    By Wesley Schindel in forum Windows Setup, Administration & Security
    Replies: 6
    Last Post: August 13th, 02:03 PM
  4. Replies: 2
    Last Post: August 5th, 10:40 AM
  5. Windows XP And Norton Firewall
    By Greg Williams in forum Windows XP/2000/ME
    Replies: 1
    Last Post: July 20th, 11:29 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139