Re: Linux firewall vs Windows and Hardware based firewalls
On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
> On Thu, 31 Jul 2003 16:11:14 +1000
> "Andre Volmensky" <AndreV@datcom.com.au> wrote:
>
> > Hello all,
> >
> > I have to put forward an argument to management regarding setting up a
> > firewall on some of our clients networks.
> >
> > What are the advantages of a linux firewall over something like
> > Windows with WinRoute on it, or even a hardware based firewall. What
> > are the disadvantages etc. I know I am asking on a linux users mailing
> > list, but I would also like reply's not to be too bias.
>
> Everything I've ever read indicates that a hardware-based firewall is
> more secure and reliable than an PC operating system, be it Linux or
> Windows. A PC OS has to be complex because it has so many functions to
> perform, but that adds potential security holes and one can never close
> them all.
*Totally* disagree.
"Hardware" routers/firewalls are *only* and *just* computers with
programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.
And they do have OSs. Here, for example. is what my cable modem runs:
Software Version: SB3100-3.2.12-SCM06-NOSHELL
Hardware Version: 2
MIB Version: II
GUI Version: 1.0
VxWorks Version: 5.3
Linux and BSD can be made *very* small. Every heard of floppy
firewalls?
> Furthermore, Intel-based PCs have some well-known exploits
> (such as buffer overflows) which are a function of the hardware and
> there is no real cure because changing the CPU instructions would break
> backward compatibility.
Bzzz. Where did you hear that?
Buffer-overflows are mainly a symptom of the "C" disease, and
happen on ia32, Alpha, Sparc, etc. Any arch that has a C compiler.
Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
doesn't use the memory protection that the CPU provides are crud,
but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
suffer that problem.
> By contrast, a router operating system is very
> simple and designed to do only one thing, and the hardware (which has no
> moving parts) is more reliable and uses far less electricity than a PC.
You've never seen all the exploits in Cisco's OS, have you?
> A Linux-based firewall is probably good enough for the average home
> hobbyist, but in a professional environment it doesn't pay to "save
> money" by recycling an old PC with Linux installed in place of a router.
Again, disagree.
H/W routers definitely have their place, but any business could
be well served by replacing all firewalls and small/mid-sized
routers with boxen powered by pared-down {Linux|FreeBSD}.
--
+-----------------------------------------------------------------+
| Ron Johnson, Jr. Home: ron.l.johnson@cox.net |
| Jefferson, LA USA |
| |
| "I'm not a vegetarian because I love animals, I'm a vegetarian |
| because I hate vegetables!" |
| unknown |
+-----------------------------------------------------------------+
Reply to: