[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linux firewall vs Windows and Hardware based firewalls

On Thu, 2003-07-31 at 17:06, Ron Johnson wrote:
> On Thu, 2003-07-31 at 07:50, Robert Storey wrote:
> > On Thu, 31 Jul 2003 16:11:14 +1000
> > "Andre Volmensky" <AndreV@datcom.com.au> wrote:
> > 
> > > Hello all,
> > > 
> > > I have to put forward an argument to management regarding setting up a
> > > firewall on some of our clients networks.
> > > 
> > > What are the advantages of a linux firewall over something like
> > > Windows with WinRoute on it, or even a hardware based firewall. What
> > > are the disadvantages etc. I know I am asking on a linux users mailing
> > > list, but I would also like reply's not to be too bias. 
> > 
> > Everything I've ever read indicates that a hardware-based firewall is
> > more secure and reliable than an PC operating system, be it Linux or
> > Windows. A PC OS has to be complex because it has so many functions to
> > perform, but that adds potential security holes and one can never close
> > them all.
> *Totally* disagree.
> "Hardware" routers/firewalls are *only* and *just* computers with
> programs loaded out of flash RAM instead of a {hard|floppy|CD} disk.
> And they do have OSs.  Here, for example. is what my cable modem runs:
>    Software Version: SB3100-3.2.12-SCM06-NOSHELL
>    Hardware Version: 2
>    MIB Version: II
>    GUI Version: 1.0
>    VxWorks Version: 5.3
> Linux and BSD can be made *very* small.  Every heard of floppy
> firewalls?
> >          Furthermore, Intel-based PCs have some well-known exploits
> > (such as buffer overflows) which are a function of the hardware and
> > there is no real cure because changing the CPU instructions would break
> > backward compatibility.
> Bzzz.  Where did you hear that?
> Buffer-overflows are mainly a symptom of the "C" disease, and 
> happen on ia32, Alpha, Sparc, etc.  Any arch that has a C compiler.
> Now, an insecure-by-design OS (DOS, Win3.1, Win95, Win98) that
> doesn't use the memory protection that the CPU provides are crud,
> but real OSs (OS/2, Linux, QNX, etc, etc, ad nauseum) don't
> suffer that problem.
> >                          By contrast, a router operating system is very
> > simple and designed to do only one thing, and the hardware (which has no
> > moving parts) is more reliable and uses far less electricity than a PC.
> You've never seen all the exploits in Cisco's OS, have you?
> > A Linux-based firewall is probably good enough for the average home
> > hobbyist, but in a professional environment it doesn't pay to "save
> > money" by recycling an old PC with Linux installed in place of a router.
> Again, disagree.
> H/W routers definitely have their place, but any business could
> be well served by replacing all firewalls and small/mid-sized
> routers with boxen powered by pared-down {Linux|FreeBSD}.
> -- 
> +-----------------------------------------------------------------+
> | Ron Johnson, Jr.        Home: ron.l.johnson@cox.net             |
> | Jefferson, LA  USA                                              |
> |                                                                 |
> | "I'm not a vegetarian because I love animals, I'm a vegetarian  |
> |  because I hate vegetables!"                                    |
> |    unknown                                                      |
> +-----------------------------------------------------------------+

As said before, hardware routers are just computers with a flash disk
and run an OS. They have their own exploits.
Their main advantage over a linux box (have seen hardware firewalls
running linux BTW) is that they have been configured by someone who
knows exactly how they are designed, and they have usually been highly
optimised and tested under loads (hopefully). They are also usually
quite minimal in respect of utilities.
Their main advantage is if you don't have a dedicated webmin who knows
how to set up a firewall properly and this way there will be less chance
of misconfiguration, since setting up a linux firewall can be somewhat
daunting and error prone, and from experience setting up a windows
firewall is much worse despite of trying to show a friendlier interface
(which ends up with something on which you can never find the settings
you want).
Don't know all those fw on floppy things never worked with them so don't
know how hard they are to properly configure.

Reply to: