Linux firewall vs Windows and Hardware based firewalls

[Andre Volmensky]

Hello all,

I have to put forward an argument to management regarding setting up a
firewall on some of our clients networks.

What are the advantages of a linux firewall over something like Windows
with WinRoute on it, or even a hardware based firewall. What are the
disadvantages etc. I know I am asking on a linux users mailing list, but
I would also like reply's not to be too bias.

Thanks
Andre


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ron Johnson]

On Thu, 2003-07-31 at 01:11, Andre Volmensky wrote:

> Hello all,
>
> I have to put forward an argument to management regarding setting up a
> firewall on some of our clients networks.
>
> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall. What are the
> disadvantages etc. I know I am asking on a linux users mailing list, but
> I would also like reply's not to be too bias.

Vs. Windows:
- stability: you can make a Win2k box as stable as a "Unix" box
only by adding lots more RAM.
- resource usage (a *minimal*, headless "dumpster special" (i.e. free
as in beer] PC does great as a Linux/{Open|Free}BSD firewall).
32MB RAM, 1GB HDD and a Pentium 133 are more than adequate for
10Mbs (1.25MBps) Ethernet, and a T1 is much slower than that.

Vs. H/w:
- Flexibility: a h/w firewall/router lets you do *only* what is flashed
onto the FlashRAM, nothing more. A good general purpose OS (again,
Linux/{Open|Free}BSD) lets you do more, like traffic analysis/shaping,
intrusion detection, etc, etc.
- Upgradeability: every time a new kernel or version of userland apps
come out, you can get bug fixes and new features.
- Security: you have the source, so "you" can verify correctness.
- Security: if the manufacturer of the h/w firewall goes out of
business or stops supporting that model, you must buy a new model,
or face the possibility of unpatched bugs.

--
+-----------------------------------------------------------------+
| Ron Johnson, Jr. Home: [email]ron.l.johnson@cox.net[/email] |
| Jefferson, LA USA |
| |
| "I'm not a vegetarian because I love animals, I'm a vegetarian |
| because I hate vegetables!" |
| unknown |
+-----------------------------------------------------------------+



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Steve Lamb]

On Thu, 31 Jul 2003 16:11:14 +1000
"Andre Volmensky" <AndreV@datcom.com.au> wrote:

> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall. What are the
> disadvantages etc. I know I am asking on a linux users mailing list, but
> I would also like reply's not to be too bias.

To me the advantage over Windows is plain. With Linux you can pare it
down to the bare minimums and run *just* a router. No need to fire up a huge
GUI to do the work. Furthermore there's no need to load in a slew of support
modules into the kernel that will most likely never be needed. Pare down
those gettys and rip out other components which aren't needed. What you're
left with is a router that can run in an amazingly small footprint both on
disc and in memory. While I would not advocate it when was the last time you
saw a Windows router on a floppy? :)

Against hardware based routers it is a little different. There you're
going against specialized hardware. However, for me, I don't like the notion
of having to telnet anywhere. Last time I checked, admittedly not recently,
no hardware router supported sshd. Also you can scale up from a bare-bones
router to make some things easier for neophytes.

As an example of both these points let me describe my parent's router.
They wanted DSL but wanted to have both their personal machines behind it. I
told'em no problem, just grab an old PC (they have tons, my dad's a PC
packrat), and old HD, toss in a pair of NICs and I'll take care of the rest.
I showed up with the Woody bootable CD and in about 20-30 minutes had a router
setup for them based on Stable. Beyond base I think the only things I
installed was shorewall and sshd. Shorewall is a great firewall package
that's easy to setup, get going and lock down. I've since added webmin with
the shorewall package. This gives a basic web interface to configure the
firewall. So now when things are going wonky I don't have to try to talk my
dad through editing a config fire. "Click here, add this, move the rule up
here, you're done." I started out basic and added a piece here and a piece
there to fit the needs of my parents.

--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
| -- Lenny Nero - Strange Days
-------------------------------+---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/KNoBel/srYtumcURAnQXAJ9de5l6+CnyXEU9ffvW+r3SCrpiXQCg+dYG
5SED5eOZndcr4aZHE/Sv0CI=
=psGo
-----END PGP SIGNATURE-----

[Paul Johnson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 31, 2003 at 04:11:14PM +1000, Andre Volmensky wrote:

> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall.

If by "hardware based firewall" you mean "a real (read: cisco Systems)
router," that is probably your best option (you said "clients", so I
assumed enterprise). Linux will give you better access control
potential, the Cisco router.

A windows box as a firewall? I just spent the last five minutes
cleaning up my desk after I sprayed coffee out my nose...seriously,
you might as well pull your pants down and bend over for the crackers
at that point, and forget flexability or reliability. (Yes, I have
had the misfortune of maintaining Windows ICS and a Winroute box that
some moron put into production and manglement wouldn't let me replace
at first. I really have to wonder how much crack one has to smoke to
make this sound like a good idea...)

- --
.''`. Paul Johnson <baloo@ursine.ca>
: :' : proud Debian admin and user
`. `'`
`- Debian - when you have better things to do than fix a system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/KOXhJ5vLSqVpK2kRAr94AKCXcJ7JovGIKMRHqB/2By0nUD5VLwCgwtRB
75DRYL/s5VZ6bLFQEIg/s+Q=
=RVpS
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Paul Johnson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 31, 2003 at 01:57:00AM -0500, Ron Johnson wrote:

> Vs. Windows:
> - stability: you can make a Win2k box as stable as a "Unix" box
> only by adding lots more RAM.

And even then, no gaurantees that the box will be reliable for very
long if it has any users at the console or any activity from the
network.

- --
.''`. Paul Johnson <baloo@ursine.ca>
: :' : proud Debian admin and user
`. `'`
`- Debian - when you have better things to do than fix a system
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/KOY8J5vLSqVpK2kRAg4nAJ9zn/JGeLuBSBzUDMts6B7WoITFDgCg5XsY
5gQZVW3vrfdkNQVP0eR6R9s=
=AKZw
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Kjetil Kjernsmo]

On Thursday 31 July 2003 08:11, Andre Volmensky wrote:

> What are the advantages of a linux firewall over something like
> Windows with WinRoute on it, or even a hardware based firewall. What
> are the disadvantages etc. I know I am asking on a linux users
> mailing list, but I would also like reply's not to be too bias.

I have no experience with neither Windows routers or hardware routers,
but I have a great router running Linux from a floppy.

It's an old box I was given, and it has a 133 MHz Pentium CPU. That's
certainly overkill for my purpose, but that is what I got.... It would
probably be appropriate for your purpose. I ripped the harddrive out,
it boots from a floppy.

The floppy is from the Coyote Linux project: [url]http://www.coyotelinux.com/[/url]
but you could try floppyfw too [url]http://www.zelow.no/floppyfw/[/url]
I couldn't get it to work with my DSL provider, which is strange since
I'm using the same provider as the author.

Anyway, I figured it will be so extremely seldom I have to change
anything in there, I disabled any access method beyond going to the box
and pop the floppy out. No telnetd, no sshd. I figured, if there is
some vulnerability in the firewall code, it is not even going to be a
daemon listening on the inside, ready to give the attacker a shell.
Also, the RAMDisk isn't big, and when there is no harddrive, even if the
attacker gets into the firewall box, it's a complete wasteland when it
comes to tools.

Now, do _that_ on windows! :-)

Cheers,

Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[email]kjetil@kjernsmo.net[/email] [email]webmaster@skepsis.no[/email] [email]editor@learn-orienteering.org[/email]
Homepage: [url]http://www.kjetil.kjernsmo.net/[/url] OpenPGP KeyID: 6A6A0BBC


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Alvin Oga]

On Thu, 31 Jul 2003, Kjetil Kjernsmo wrote:

>
> The floppy is from the Coyote Linux project: [url]http://www.coyotelinux.com/[/url]
> but you could try floppyfw too [url]http://www.zelow.no/floppyfw/[/url]
> I couldn't get it to work with my DSL provider, which is strange since
> I'm using the same provider as the author.

rest of the distro for fw ( fd, cd, /dev/ram, etc )

[url]http://www.Linux-Sec.net/Firewalls[/url]

c ya
alvin


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Rex Chan]

On Thu, Jul 31, 2003 at 08:50:21PM +0800, Robert Storey wrote:

> Everything I've ever read indicates that a hardware-based firewall is
> more secure and reliable than an PC operating system, be it Linux or
> Windows. A PC OS has to be complex because it has so many functions to
> perform, but that adds potential security holes and one can never close
> them all. Furthermore, Intel-based PCs have some well-known exploits
> (such as buffer overflows) which are a function of the hardware and
> there is no real cure because changing the CPU instructions would break
> backward compatibility. By contrast, a router operating system is very
> simple and designed to do only one thing, and the hardware (which has no
> moving parts) is more reliable and uses far less electricity than a PC.
>
> A Linux-based firewall is probably good enough for the average home
> hobbyist, but in a professional environment it doesn't pay to "save
> money" by recycling an old PC with Linux installed in place of a router.
>
> regards,
> Robert

Hmm... I'm not an expert and this is my understanding of software and
hardware firewalls.

A hardware firewall would probably be more reliable - the security part
is debatable. A firewall is a firewall - it's security comes from its
configuration. An cutdown firewall/router machine with minimal services
can be just as secure as hardware firewall.

The advantage of hardware firewall - most likely speed -
specialised hardware to deal with packet processing and the like.

This won't be an issue if you're a home user with a few machines but
for corporate use, with lots of machines and traffic, you want things
to be speedy and more efficient.

--


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ron Johnson]

On Thu, 2003-07-31 at 07:50, Robert Storey wrote:

> On Thu, 31 Jul 2003 16:11:14 +1000
> "Andre Volmensky" <AndreV@datcom.com.au> wrote:
>

> > Hello all,
> >
> > I have to put forward an argument to management regarding setting up a
> > firewall on some of our clients networks.
> >
> > What are the advantages of a linux firewall over something like
> > Windows with WinRoute on it, or even a hardware based firewall. What
> > are the disadvantages etc. I know I am asking on a linux users mailing
> > list, but I would also like reply's not to be too bias.

>
> Everything I've ever read indicates that a hardware-based firewall is
> more secure and reliable than an PC operating system, be it Linux or
> Windows. A PC OS has to be complex because it has so many functions to
> perform, but that adds potential security holes and one can never close
> them all.

*Totally* disagree.

"Hardware" routers/firewalls are *only* and *just* computers with
programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.

And they do have OSs. Here, for example. is what my cable modem runs:
Software Version: SB3100-3.2.12-SCM06-NOSHELL
Hardware Version: 2
MIB Version: II
GUI Version: 1.0
VxWorks Version: 5.3

Linux and BSD can be made *very* small. Every heard of floppy
firewalls?

> Furthermore, Intel-based PCs have some well-known exploits
> (such as buffer overflows) which are a function of the hardware and
> there is no real cure because changing the CPU instructions would break
> backward compatibility.

Bzzz. Where did you hear that?

Buffer-overflows are mainly a symptom of the "C" disease, and
happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.

Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
doesn't use the memory protection that the CPU provides are crud,
but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
suffer that problem.

> By contrast, a router operating system is very
> simple and designed to do only one thing, and the hardware (which has no
> moving parts) is more reliable and uses far less electricity than a PC.

You've never seen all the exploits in Cisco's OS, have you?

> A Linux-based firewall is probably good enough for the average home
> hobbyist, but in a professional environment it doesn't pay to "save
> money" by recycling an old PC with Linux installed in place of a router.

Again, disagree.

H/W routers definitely have their place, but any business could
be well served by replacing all firewalls and small/mid-sized
routers with boxen powered by pared-down {Linux|FreeBSD}.

--
+-----------------------------------------------------------------+
| Ron Johnson, Jr. Home: [email]ron.l.johnson@cox.net[/email] |
| Jefferson, LA USA |
| |
| "I'm not a vegetarian because I love animals, I'm a vegetarian |
| because I hate vegetables!" |
| unknown |
+-----------------------------------------------------------------+



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ron Johnson]

On Thu, 2003-07-31 at 08:30, Rex Chan wrote:

> On Thu, Jul 31, 2003 at 08:50:21PM +0800, Robert Storey wrote:

[snip]

> The advantage of hardware firewall - most likely speed -
> specialised hardware to deal with packet processing and the like.

So if a P2-233 w/ 32MB RAM doesn't handle it, try something faster.

If a GHz CPU w/ 256B RAM (dirt cheap!!) can't handle a T3 (45Mbps,
5.6MBps), something is wrong.

--
+-----------------------------------------------------------------+
| Ron Johnson, Jr. Home: [email]ron.l.johnson@cox.net[/email] |
| Jefferson, LA USA |
| |
| "I'm not a vegetarian because I love animals, I'm a vegetarian |
| because I hate vegetables!" |
| unknown |
+-----------------------------------------------------------------+



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[DePriest, Jason R.]

My ideal solution is to use a Firewall/VPN Appliance (Cisco and Symantec
both have good offerings) for perimeter protection.

But, use a desktop
firewall/IDS/IPS/whatever-they-decide-to-call-them-next system for your
end-users, as well.
Windows XP has this built-in (I think they are licensing ZoneLabs
technology). Linux has it freely available.
Otherwise, you can use ZoneAlarm, Kerio Personal Firewall, or whatever
for additional protection.

Trying to run an Enterprise Firewall off of a software-based
distribution just doesn't seem very smart.
But if I had to consider a software-based firewall, I would definitely
go with Linux.
Why? Because you can strip out every single piece of code that you
don't need. You can even download bootable CDs that can run with no
h.d.d that have already done a reasonable job of this.
Windows-based firewalls might be "pretty" and might be effective. But
you still have Windows sitting underneath it.

-----Original Message-----
From: Andre Volmensky [mailto:AndreV@datcom.com.au]
Sent: Thursday, July 31, 2003 1:12 AM
To: [email]debian-user@lists.debian.org[/email]
Subject: Linux firewall vs Windows and Hardware based firewalls


Hello all,

I have to put forward an argument to management regarding setting up a
firewall on some of our clients networks.

What are the advantages of a linux firewall over something like Windows
with WinRoute on it, or even a hardware based firewall. What are the
disadvantages etc. I know I am asking on a linux users mailing list, but
I would also like reply's not to be too bias.

Thanks
Andre


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact
[email]listmaster@lists.debian.org[/email]


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Mark Ferlatte]

Andre Volmensky said on Thu, Jul 31, 2003 at 04:11:14PM +1000:

> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall. What are the
> disadvantages etc. I know I am asking on a linux users mailing list, but
> I would also like reply's not to be too bias.

I would say that the largest advantage of the hardware firewalls is stability:
you don't have to worry about disk failure. Now, you can build a Linux
firewall that loads off of a flash, but why bother when companies have doneit
for you (ImageStream's Rebel routers are an example of this, which I've
personally used and am reasonably happy with).

The largest disadvantage is lack of flexibility: if you want to do something
that your hardware doesn't support, you're hosed. But, for firewalls, you
generally don't want to do too much, so this isn't as much of a problem.

For any small (read: DS3 or less), a PC based firewall will perform just as
well as a hardware firewall. On the other hand, do you _want_ to be paged at
4am because your PC based firewall ate a disk?

And for those who still think that hardware == telnet only, that's justnot
true anymore. All of the newer kit worth owning supports ssh (some even
support ssh v2) out of the box.

M

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/KUPiOtZWu2tc1lARApzPAJ9PyMgjbSAZQX0dpXI16SO6mDY2kg CeI3wz
sVO8GX2qjpz68nP9XYAVq30=
=KWPb
-----END PGP SIGNATURE-----

[Jesse Meyer]

On Thu, 31 Jul 2003, Ron Johnson wrote:

>

> > Furthermore, Intel-based PCs have some well-known exploits
> > (such as buffer overflows) which are a function of the hardware and
> > there is no real cure because changing the CPU instructions would break
> > backward compatibility.

>
> Bzzz. Where did you hear that?
>
> Buffer-overflows are mainly a symptom of the "C" disease, and
> happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
>
> Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
> doesn't use the memory protection that the CPU provides are crud,
> but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
> suffer that problem.

I believe that some computer architectures can divide memory into
'executable' and 'non-executable', thus limiting the damage a
buffer overflow can cause. I've never heard of this in a hardware
firewall though.

Speaking of which, hardware firewalls and routers do have security
problems, as a quick google search can show.

My personal feelings on the matter is that a hardware firewall tends to
be more compact, more efficient, and faster for some purposes. The
expensive routers can do complex packet filtering in custom hardware
which would be too slow to do in software.

The cheap "firewalls" and "routers" that are used for broadband
connections tend to be set up very insecurely - allowing almost anything
out. Plus, with uPnP support, a uPnP operating system (such as Windows
XP) is allowed to open and forward ports on the firewall without any
user notification or intervention.

Because of such concerns, for small networks, I would recommend a
low-end x86 machine with a stripped down install of linux - basically,
iptables and ssh. For complicated routing, you'll need to bite the
bullet and buy a high-end router, which can easily end up costing tens
of thousands of dollars. (But if you are asking what you need in this
mailing list, odds are you don't need a complicated router.)

The main security risk with a firewall is not the hardware or software,
but with the administrator - firewalls take time and knowledge to set up
and maintain. Also, security is more then just a firewall.

~ Jesse Meyer

--
icq: 34583382 / msn: [email]dasunt@hotmail.com[/email] / yim: tsunad

"We are what we pretend to be, so we must be careful about what we
pretend to be." - Kurt Vonnegut Jr : Mother Night

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE/KV4hiWRyGryG0v8RAgiEAKCxgZqVaCszchwdH7FHK17iRB+DYw Cfb6Th
vexrMNFaVa1n9WJVt7Dsw4k=
=TRAA
-----END PGP SIGNATURE-----

[Juri Haberland]

Ron Johnson wrote:

> On Thu, 2003-07-31 at 07:50, Robert Storey wrote:

>> On Thu, 31 Jul 2003 16:11:14 +1000

>> Furthermore, Intel-based PCs have some well-known exploits
>> (such as buffer overflows) which are a function of the hardware and
>> there is no real cure because changing the CPU instructions would break
>> backward compatibility.

>
> Bzzz. Where did you hear that?
>
> Buffer-overflows are mainly a symptom of the "C" disease, and
> happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.

Well, ever opened a Cisco PIX firewall? Guess what, it's running on an
Intel P233-MMX...
The remaining parts look like ordenary PC hardware, too.

So much for the hardware aspect...

Cheers,
Juri


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Gary Hennigan]

"Andre Volmensky" <AndreV@datcom.com.au> writes:

> I have to put forward an argument to management regarding setting up a
> firewall on some of our clients networks.
>
> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall. What are the
> disadvantages etc. I know I am asking on a linux users mailing list, but
> I would also like reply's not to be too bias.

Just to add to what others have said, I run an software firewall
(OpenBSD 3.2 soon to be 3.3) and one of the things I like about it is
being able to log intrusion attempts and contribute those to
DShield.org ([url]http://www.dshield.org[/url]). Gives me a sense that I'm
contributing to the overall security of the "net". Probably a false,
since a lot of the fightback reports just get ignored by ISPs, but
nonetheless...

Now I believe some hardware firewalls allow you to capture logs via
something like a remote syslog capability, but then you'd have to have
a server to process them anyway. With my OS/software-based firewall I
can have it do everything necessary to send the logs off to DShield.

Gary


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[slowe@frii.com]

> "Andre Volmensky" <AndreV@datcom.com.au> writes:

> > I have to put forward an argument to management regarding setting up a
> > firewall on some of our clients networks.
> >
> > What are the advantages of a linux firewall over something like Windows
> > with WinRoute on it, or even a hardware based firewall. What are the
> > disadvantages etc. I know I am asking on a linux users mailing list, but
> > I would also like reply's not to be too bias.

In addition to the software-based firewall/router solutions already mentioned,
have a look at IPCop ([url]http://www.ipcop.org[/url]) and SmoothWall
([url]http://www.smoothwall.org[/url]). Both are small Linux distros designed to be run on
throwaway PCs.

I'm currently running IPcop on an AMD K6-200 with 64m ram and a 1.2g HDD. What I
like about it over the hardware based boxes is the flexibility to add things
like content filtering, the web proxy, traffic graphs, intrusion detection,
logging, and the ability to effectively run a DMZ on a different NIC, and it's
ease of use and configuration.

HTH

--
Steve



--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Micha Feigin]

On Thu, 2003-07-31 at 17:06, Ron Johnson wrote:

> On Thu, 2003-07-31 at 07:50, Robert Storey wrote:

> > On Thu, 31 Jul 2003 16:11:14 +1000
> > "Andre Volmensky" <AndreV@datcom.com.au> wrote:
> >

> > > Hello all,
> > >
> > > I have to put forward an argument to management regarding setting up a
> > > firewall on some of our clients networks.
> > >
> > > What are the advantages of a linux firewall over something like
> > > Windows with WinRoute on it, or even a hardware based firewall. What
> > > are the disadvantages etc. I know I am asking on a linux users mailing
> > > list, but I would also like reply's not to be too bias.

> >
> > Everything I've ever read indicates that a hardware-based firewall is
> > more secure and reliable than an PC operating system, be it Linux or
> > Windows. A PC OS has to be complex because it has so many functions to
> > perform, but that adds potential security holes and one can never close
> > them all.

>
> *Totally* disagree.
>
> "Hardware" routers/firewalls are *only* and *just* computers with
> programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.
>
> And they do have OSs. Here, for example. is what my cable modem runs:
> Software Version: SB3100-3.2.12-SCM06-NOSHELL
> Hardware Version: 2
> MIB Version: II
> GUI Version: 1.0
> VxWorks Version: 5.3
>
> Linux and BSD can be made *very* small. Every heard of floppy
> firewalls?
>

> > Furthermore, Intel-based PCs have some well-known exploits
> > (such as buffer overflows) which are a function of the hardware and
> > there is no real cure because changing the CPU instructions would break
> > backward compatibility.

>
> Bzzz. Where did you hear that?
>
> Buffer-overflows are mainly a symptom of the "C" disease, and
> happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
>
> Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
> doesn't use the memory protection that the CPU provides are crud,
> but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
> suffer that problem.
>

> > By contrast, a router operating system is very
> > simple and designed to do only one thing, and the hardware (which has no
> > moving parts) is more reliable and uses far less electricity than a PC.

>
> You've never seen all the exploits in Cisco's OS, have you?
>

> > A Linux-based firewall is probably good enough for the average home
> > hobbyist, but in a professional environment it doesn't pay to "save
> > money" by recycling an old PC with Linux installed in place of a router.

>
> Again, disagree.
>
> H/W routers definitely have their place, but any business could
> be well served by replacing all firewalls and small/mid-sized
> routers with boxen powered by pared-down {Linux|FreeBSD}.
>
> --
> +-----------------------------------------------------------------+
> | Ron Johnson, Jr. Home: [email]ron.l.johnson@cox.net[/email] |
> | Jefferson, LA USA |
> | |
> | "I'm not a vegetarian because I love animals, I'm a vegetarian |
> | because I hate vegetables!" |
> | unknown |
> +-----------------------------------------------------------------+
>
>

As said before, hardware routers are just computers with a flash disk
and run an OS. They have their own exploits.
Their main advantage over a linux box (have seen hardware firewalls
running linux BTW) is that they have been configured by someone who
knows exactly how they are designed, and they have usually been highly
optimised and tested under loads (hopefully). They are also usually
quite minimal in respect of utilities.
Their main advantage is if you don't have a dedicated webmin who knows
how to set up a firewall properly and this way there will be less chance
of misconfiguration, since setting up a linux firewall can be somewhat
daunting and error prone, and from experience setting up a windows
firewall is much worse despite of trying to show a friendlier interface
(which ends up with something on which you can never find the settings
you want).
Don't know all those fw on floppy things never worked with them so don't
know how hard they are to properly configure.


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Alvin Oga]

On 31 Jul 2003, Ron Johnson wrote:

...

> My neighbor is a network administrator for a *large* Windows site
> (10,000+ PCs), and he told me that the mail and firewall servers
> had bad stability problems until he stuffed them full of RAM.

my interpretation would be...

it says that windoze has a virtual memory management problem
if adding more real memory makes it more stable
- one doesnt always have the luxury of adding or max'ing
out the memory slots and capacity of the servers ...

c ya
alvin


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Tom Allison]

Andre Volmensky wrote:

> Hello all,
>
> I have to put forward an argument to management regarding setting up a
> firewall on some of our clients networks.
>
> What are the advantages of a linux firewall over something like Windows
> with WinRoute on it, or even a hardware based firewall. What are the
> disadvantages etc. I know I am asking on a linux users mailing list, but
> I would also like reply's not to be too bias.
>
> Thanks
> Andre
>
>

You already have many answers, but I'll share my experience with the Linux
firewall and the Hardware firewall.

I haven't any experience with Windows based firewal products. But I believe
that you must have a security perimeter that is physically seperate from your
workstations and servers. You will find this is standard fare on higher
security configurations.

I have tried several of the NetGear firewalls. They are all excellent
products and have a reasonable cost to them. I think I paid between $100
and $200 US for each of them. They all supported DHCP but they had shortcomings.

The first was limited to only ipchains (not as secure) and had nothing to
support DNS caching (network load savings) or VPN.

The second supported DNS caching and VPN and was more secure through it's use
of iptables. However it had shortcomings also:
Known security problems with the software being used were not patched for
months. There is only one subnet supported and if you want to host
webservices (email, webpages) this is not a solution.

In order to get web services, I would have to pick up hardware that had a
dedicated port for a DMZ. I found this to run about $1,000 US.

I use a product that I picked up for free called smoothwall (smoothwall.org)
there is also ipcop.org.

These take an existing computer (Pentium 200 with 64MB RAM and 1GB hard
drive, some would argue it's hardly worth pulling from the dumpster). I put
in a CD and it installs itself in a few minutes and provides a firewall that
supports a LAN or a DMZ + LAN and also provides:
VPN support
DNS caching
DHCP ( I needed to modify it to support TFTD installs and could do this )
Squid caching (also configurable)
Snort (Intrusion Detection)
DMZ port forwarding
PPPoE, USB modems, dial-up modems.... lots of devices all at once. More than
any firewall appliance handles.

and a number of other features I haven't even looked into much but check out
the websites.


And here's the part I really like.
I used an old "scrapper" of a PC to do it.
And if/when it dies, I just grab another scrapper and load up the firewall
and am back online in about 10-30 minutes depending upon the configuration I
have.
You can't get to the store and buy a new one, or reinstall Windows that quickly.
You probably can purchase a used PC for less than the software you propose
for Windows. But you might also have some old spares around.

Now for a business, you might have an interest in VPN support. Under a lot
of a Hardware firewalls, they sell per user VPN licenses which can add up to
a lot of $$ in a hurry. These products provide VPN based on free software
options (IPSec)

smoothwall.org and ipcop.org don't provide solutions that are as physically
small or even as pretty (Netgear has a nice blue case), but it's a great
option to consider because it's physically seperated hardware, cost
effective, configurable, easy to replace (any PC will do) and entirely
transparent to the end user configuration.

Hope this helps.
--
"If you are afraid of loneliness, don't marry."
-- Chekhov


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Tom Allison]

Robert Storey wrote:

> A Linux-based firewall is probably good enough for the average home
> hobbyist, but in a professional environment it doesn't pay to "save
> money" by recycling an old PC with Linux installed in place of a router.
>
> regards,
> Robert
>

That's a silly thing to say when you consider that many hardware based
firewalls out there are ARM processors running customized Linux OSes (or some
BSD OS) on them.

I'm not certain what you mean by "professional environment". I tend to read
that as an implication that these recycled old PC's with Linux is delegated
to wanna-be's and basement hackers.

If you consider that something like smoothwall is a free open source product
intended for use by "recycling old PC's with Linux" and is also used as a
hardware based firewall appliance sold by the parent company smoothwall.com
then your statement gets even sillier.

Most, NOT all, companies would be able to use this method of "recycling old
PC's with Linux installed" and they would save themselves a ton of money and
no one would be able to tell the difference.

Considering that these products do more than just a router, they might be
able to tell the difference, but not in a bad way.

--
Do you guys know we just passed thru a BLACK HOLE in space?


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]