Re: Linux firewall vs Windows and Hardware based firewalls
Andre Volmensky wrote:
Hello all,
I have to put forward an argument to management regarding setting up a
firewall on some of our clients networks.
What are the advantages of a linux firewall over something like Windows
with WinRoute on it, or even a hardware based firewall. What are the
disadvantages etc. I know I am asking on a linux users mailing list, but
I would also like reply's not to be too bias.
Thanks
Andre
You already have many answers, but I'll share my experience with the Linux
firewall and the Hardware firewall.
I haven't any experience with Windows based firewal products. But I believe
that you must have a security perimeter that is physically seperate from your
workstations and servers. You will find this is standard fare on higher
security configurations.
I have tried several of the NetGear firewalls. They are all excellent
products and have a reasonable cost to them. I think I paid between $100
and $200 US for each of them. They all supported DHCP but they had shortcomings.
The first was limited to only ipchains (not as secure) and had nothing to
support DNS caching (network load savings) or VPN.
The second supported DNS caching and VPN and was more secure through it's use
of iptables. However it had shortcomings also:
Known security problems with the software being used were not patched for
months. There is only one subnet supported and if you want to host
webservices (email, webpages) this is not a solution.
In order to get web services, I would have to pick up hardware that had a
dedicated port for a DMZ. I found this to run about $1,000 US.
I use a product that I picked up for free called smoothwall (smoothwall.org)
there is also ipcop.org.
These take an existing computer (Pentium 200 with 64MB RAM and 1GB hard
drive, some would argue it's hardly worth pulling from the dumpster). I put
in a CD and it installs itself in a few minutes and provides a firewall that
supports a LAN or a DMZ + LAN and also provides:
VPN support
DNS caching
DHCP ( I needed to modify it to support TFTD installs and could do this )
Squid caching (also configurable)
Snort (Intrusion Detection)
DMZ port forwarding
PPPoE, USB modems, dial-up modems.... lots of devices all at once. More than
any firewall appliance handles.
and a number of other features I haven't even looked into much but check out
the websites.
And here's the part I really like.
I used an old "scrapper" of a PC to do it.
And if/when it dies, I just grab another scrapper and load up the firewall
and am back online in about 10-30 minutes depending upon the configuration I
have.
You can't get to the store and buy a new one, or reinstall Windows that quickly.
You probably can purchase a used PC for less than the software you propose
for Windows. But you might also have some old spares around.
Now for a business, you might have an interest in VPN support. Under a lot
of a Hardware firewalls, they sell per user VPN licenses which can add up to
a lot of $$ in a hurry. These products provide VPN based on free software
options (IPSec)
smoothwall.org and ipcop.org don't provide solutions that are as physically
small or even as pretty (Netgear has a nice blue case), but it's a great
option to consider because it's physically seperated hardware, cost
effective, configurable, easy to replace (any PC will do) and entirely
transparent to the end user configuration.
Hope this helps.
--
"If you are afraid of loneliness, don't marry."
-- Chekhov
Reply to: