Jamin W. Collins <jcollins@asgardsrealm.net> [2002-12-08 12:21:40 -0600]: > On Sat, Dec 07, 2002 at 04:43:44PM -0700, Bob Proulx wrote: > > > Although the linux kernel iptables firewalls are excellent I still > > recommend a separate firewall box between your computer and the Evil > > Internet. > (snip) > > In my opinion the cable modem should always have had one of these > > built into it. > > Ick. Multi-function devices are in general a bad idea. Frequently they > end up restricting the end user to a small subset of possible > configurations and uses. In most cases you're better off with a > dedicated device serving a specific purpose. I actually think we are mostly in agreement. But let me debate you in the absurd. Would you suggest that your keyboard interface to your computer be separate? And your mouse? Serial port? Parallel port? Of course not. We expect that computers today will have them intergrated into the same controller chip. However, I clearly remember the days when this was not so and the motherboard was a large array of separate components. And there were many flavors of serial and parallel port capabilities. However, some components become so common and so well accepted that they are just commodities to be bought from the lowest bidder. This is the way of all of the computer peripheral interfaces and today all of the common ones are integrated onto one single VLSI chip. I propose that while firewalls today may still be somewhat spotty in terms of capabilities that they will very soon be universally the same in terms of capability. Certainly if they are then there is no reason not to treat them like a commodity as well. If a modem is $80 and a firewall is $80 then that is $160 for the set. If you need to upgrade the firewall then you spend another $75 for the newer (and in the future cheaper) replacement. I propose a combined box for $80 if they had been that way all along. If you need to upgrade the firewall you buy an upgraded combined box for $75 in the future that replaces both and don't shed a tear that the modem which was working fine and could have been saved from that bundle but is tossed as part of the combined unit. If they are integrated then there is no need for yet another power supply brick plugged into the wall and wires from there to the box. No need for yet another set of network wires connecting those two boxes. Contrast the fact that the manufacturing cost of two sets of boxes is double that of one. Contrast one single modem / switch with integrated firewall capability to a set of separates. Especially if the separates are from the same manufacturer then certainly the capability exists to put both in a single box. Now enter the newbies and the grandmas who are now assembling computer systems. They will not know the ins and outs of a whole assortment of separates. Should they need to? Especially in those cases it is better to provide the standalone complete system in a box. Especially because that comes with a good support system to help them when they need help. Really this is similar to the evolution of stereo equipment. While the high end audiophile may prefer custom crafted modular systems most people who just want to listen to the radio prefer a standalone 'boombox'. > > A firewall box like a Linksys, D-Link or Netgear or other is just > > perfect for SOHO needs. > > You'll want to be careful with these devices and make certain they > support your intended use. As these are hardware solutions, you are at > the whim of the manufacturer as to what it can and can not do. Some of > these devices didn't support GRE packets (necessary for PPTP based VPN > connections) or IPSEC connections. Many of these short comings have > been addressed by the manufacturers, but these problems can (and in some > cases still do) exist. Agreed. Speak with your wallet. Buy only something that works for you. Buy it, test it, verify the marketing claims. If you buy something and find that it does not work for you then return it and buy one that does. Bob P.S. I run my own linux firewall router. As a tinkerer I find it delightful. Technically it is a superior solution. But don't let me suggest to my mom that she should build and install one. They are not consumer electronic components.
Attachment:
pgpAxjxlLDvWk.pgp
Description: PGP signature