Re: Linux firewall vs Windows and Hardware based firewalls

From: Tom Allison (tallison_at_tacocat.net)
Date: 08/01/03

  • Next message: tripolar: "installing debian though compiling most everything....." 
    Date: Fri, 01 Aug 2003 03:11:46 -0400
To: Andre Volmensky <AndreV@datcom.com.au>, Debian User <debian-user@lists.debian.org>

    Andre Volmensky wrote:
    > Hello all,
    >
    > I have to put forward an argument to management regarding setting up a
    > firewall on some of our clients networks.
    >
    > What are the advantages of a linux firewall over something like Windows
    > with WinRoute on it, or even a hardware based firewall. What are the
    > disadvantages etc. I know I am asking on a linux users mailing list, but
    > I would also like reply's not to be too bias.
    >
    > Thanks
    > Andre
    >
    >

    You already have many answers, but I'll share my experience with the Linux
    firewall and the Hardware firewall.

    I haven't any experience with Windows based firewal products. But I believe
    that you must have a security perimeter that is physically seperate from your
    workstations and servers. You will find this is standard fare on higher
    security configurations.

    I have tried several of the NetGear firewalls. They are all excellent
    products and have a reasonable cost to them. I think I paid between $100
    and $200 US for each of them. They all supported DHCP but they had shortcomings.

    The first was limited to only ipchains (not as secure) and had nothing to
    support DNS caching (network load savings) or VPN.

    The second supported DNS caching and VPN and was more secure through it's use
    of iptables. However it had shortcomings also:
    Known security problems with the software being used were not patched for
    months. There is only one subnet supported and if you want to host
    webservices (email, webpages) this is not a solution.

    In order to get web services, I would have to pick up hardware that had a
    dedicated port for a DMZ. I found this to run about $1,000 US.

    I use a product that I picked up for free called smoothwall (smoothwall.org)
    there is also ipcop.org.

    These take an existing computer (Pentium 200 with 64MB RAM and 1GB hard
    drive, some would argue it's hardly worth pulling from the dumpster). I put
    in a CD and it installs itself in a few minutes and provides a firewall that
    supports a LAN or a DMZ + LAN and also provides:
    VPN support
    DNS caching
    DHCP ( I needed to modify it to support TFTD installs and could do this )
    Squid caching (also configurable)
    Snort (Intrusion Detection)
    DMZ port forwarding
    PPPoE, USB modems, dial-up modems.... lots of devices all at once. More than
    any firewall appliance handles.

    and a number of other features I haven't even looked into much but check out
    the websites.

    And here's the part I really like.
    I used an old "scrapper" of a PC to do it.
    And if/when it dies, I just grab another scrapper and load up the firewall
    and am back online in about 10-30 minutes depending upon the configuration I
    have.
    You can't get to the store and buy a new one, or reinstall Windows that quickly.
    You probably can purchase a used PC for less than the software you propose
    for Windows. But you might also have some old spares around.

    Now for a business, you might have an interest in VPN support. Under a lot
    of a Hardware firewalls, they sell per user VPN licenses which can add up to
    a lot of $$ in a hurry. These products provide VPN based on free software
    options (IPSec)

    smoothwall.org and ipcop.org don't provide solutions that are as physically
    small or even as pretty (Netgear has a nice blue case), but it's a great
    option to consider because it's physically seperated hardware, cost
    effective, configurable, easy to replace (any PC will do) and entirely
    transparent to the end user configuration.

    Hope this helps. 

    -- 
"If you are afraid of loneliness, don't marry."
-- Chekhov
-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: tripolar: "installing debian though compiling most everything....."

    Relevant Pages

    • Re: Firewall Info/Recommendations?
      ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
      (comp.security.firewalls)
    • Re: [fw-wiz] httport 3snf
      ... > Having worked in the Firewall support role at several companies, ... I had my CIO approve my security policy. ... time educating him about Internet risk. ... There's also a very good "at what point is the firewall now useless" ...
      (Firewall-Wizards)
    • Re: Messenger Audio/Video with ISA 2004
      ... Technically speaking, if this needs to be supported through the firewall, ... Therefore, the external client can ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: Help with Windows VPN setup and Astaro firewall
      ... the exact same firewall does not cause any problems for my ... > VPN connections to a different remote firewall! ... > that the VPN client's configuration files for both VPNs are identical, ... > firewall's IPSec configuration. ...
      (comp.security.firewalls)
    • Re: [fw-wiz] OT: vendors please respond
      ... On 26 Sep 2003, admin security Mehta wrote: ... I've seen somewhere north of 65 different commercial firewall products up ... need to start with a security policy and decide which technologies support ... You really want a VPN solution for VPN stuff if you have requirements to ...
      (Firewall-Wizards)