[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux firewall vs Windows and Hardware based firewalls



On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
> On Thu, 31 Jul 2003 16:11:14 +1000
> "Andre Volmensky" <AndreV@datcom.com.au> wrote:
> 
> > Hello all,
> > 
> > I have to put forward an argument to management regarding setting up a
> > firewall on some of our clients networks.
> > 
> > What are the advantages of a linux firewall over something like
> > Windows with WinRoute on it, or even a hardware based firewall. What
> > are the disadvantages etc. I know I am asking on a linux users mailing
> > list, but I would also like reply's not to be too bias. 
> 
> Everything I've ever read indicates that a hardware-based firewall is
> more secure and reliable than an PC operating system, be it Linux or
> Windows. A PC OS has to be complex because it has so many functions to
> perform, but that adds potential security holes and one can never close
> them all.

*Totally* disagree.

"Hardware" routers/firewalls are *only* and *just* computers with
programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.

And they do have OSs.  Here, for example. is what my cable modem runs:
   Software Version: SB3100-3.2.12-SCM06-NOSHELL
   Hardware Version: 2
   MIB Version: II
   GUI Version: 1.0
   VxWorks Version: 5.3

Linux and BSD can be made *very* small.  Every heard of floppy
firewalls?

>          Furthermore, Intel-based PCs have some well-known exploits
> (such as buffer overflows) which are a function of the hardware and
> there is no real cure because changing the CPU instructions would break
> backward compatibility.

Bzzz.  Where did you hear that?

Buffer-overflows are mainly a symptom of the "C" disease, and 
happen on ia32, Alpha, Sparc, etc.  Any arch that has a C compiler.

Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
doesn't use the memory protection that the CPU provides are crud,
but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
suffer that problem.

>                          By contrast, a router operating system is very
> simple and designed to do only one thing, and the hardware (which has no
> moving parts) is more reliable and uses far less electricity than a PC.

You've never seen all the exploits in Cisco's OS, have you?

> A Linux-based firewall is probably good enough for the average home
> hobbyist, but in a professional environment it doesn't pay to "save
> money" by recycling an old PC with Linux installed in place of a router.

Again, disagree.

H/W routers definitely have their place, but any business could
be well served by replacing all firewalls and small/mid-sized
routers with boxen powered by pared-down {Linux|FreeBSD}.

-- 
+-----------------------------------------------------------------+
| Ron Johnson, Jr.        Home: ron.l.johnson@cox.net             |
| Jefferson, LA  USA                                              |
|                                                                 |
| "I'm not a vegetarian because I love animals, I'm a vegetarian  |
|  because I hate vegetables!"                                    |
|    unknown                                                      |
+-----------------------------------------------------------------+




Reply to: