LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-27-2007, 07:02 AM   #1
depam
Member
 
Registered: Sep 2005
Posts: 829

Rep: Reputation: 30
Firewall and Router


Hi! I'm just wondering what really is the difference between a router and a firewall? I've been using IPCop for years and I can compare it with most of the commercial NAT routers. It can also do route, DHCP, etc. Can we say that the NAT router can also act as a firewall (or firewall is just a marketing word)? How about linux? Since linux can also do routes and stateful packet inspection using iptables, is it also safe to say that any linux box can act as a firewall and router at the same time? Thanks.
 
Old 05-27-2007, 07:12 AM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
A router and firewall are two separate concepts, it just so happens that most routers also contain firewalls.

All a router does is join dissimilar networks to each other, acting as a bridge to connect between them. This allows, for example, the computers in your internal network to connect to hosts on the Internet. The router translates between the two networks seamlessly, even though they are very different.

On the other hand, a firewall simply allows or disallows network traffic based on pre-determined criteria or rules (destination IP, destination port, protocol, etc, etc).

These two concepts are combined to create the consumer level routers that most people are accustomed with (and in fact, usually a third and fourth device is combined with them as well; a switch and WiFi AP, respectively).

As for a Linux machine being able to act as a router and firewall, it most certainly can, and often does. That is exactly what IPCop is, a Linux distribution designed to operate as a secure firewall and routing device.
 
Old 05-28-2007, 09:53 AM   #3
depam
Member
 
Registered: Sep 2005
Posts: 829

Original Poster
Rep: Reputation: 30
How true is it that most commercial routers including Ciscos and Nortels' core OS is linux? Is it more practical to use a hardware based firewall like the Cisco ASA or just configure a Linux box to allow and disallow network traffic? I've been arguing with a friend of mine and I told him that IPCop is also a hardware-based firewall. He said that its only a software firewall. I told him that software firewalls includes that of ZoneAlarm and Norton. I also told him that IPCop firewall is designed to be a hardware firewall. What can you say about this?
 
Old 05-28-2007, 11:19 AM   #4
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
I have never used a Cisco router than ran Linux, nor have I ever heard of one. All of the ones I am aware of use IOS, which is a proprietary Cisco OS. Though I am not a Cisco man myself, so it is possible that they do have a Linux product line available that I have just not heard of.

As for what is more practical, I think that is a rather obvious question. If the choice is between paying thousands of dollars for a Cisco router or installing IPCop on an outdated workstation, it seems to be a no-brainer for the small network administrator. IPCop can easily handle the demands for a home or office network, and I have even employed similar software (SmoothWall at the time) on a relatively large scale (100+ clients) and had no problems at all.

Now, the line between hardware and software firewalls/routers is a little bit blurred. The Cisco machines are in essence small computers, the IOS can be updated and replaced, and IOS itself contains various programs that make it a fully functional OS (albeit completely geared towards a single task). A Cisco router running IOS is really not much different than a computer running IPCop, so I would have to say they both fall into the hardware category.

Programs like ZoneAlarm, which simply run on top of the existing OS as an application, are certainly software based. The difference is that while IPCop is software, it is focused at every level to complete a single task, rather than just being a program running on a stock operating system. But I think this is probably up to interpretation.
 
Old 05-28-2007, 03:47 PM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
high end hardware firewalls, e.g Cisco ASA's contain very specialised hardware designed from the ground up for a single task. the architecture of the systems is designed for a single goal, and as such data flows and processes are geared to ensure that is done to the best it can be. in firewalls specifically, this is for security, so data is moved about in ways that are architecturally secure using often very different techniques than conventional CISC based platforms like you're running with IPCop. whilst yes those ipcop boxes contain vastly less, put through vastly more data, and ostensibly provide the same sort of security, the way the data is treated on the inside is very different, and make netadmin's sleep much better at night.

another key aspect to all of this is the functional roles of devices. whilst you could run everything on one intel based platform it's really really bad design, and any self respecting business will use the right tool for each job, not look to combine things to save money, as there is implicitly a compromise in many other areas, if primarily on paper.

Cisco devices do not run Linux. they do have a heavily modified UNIX file subsystem but it's not Linux, and never will be.

where i work, our most expensive bits of network gear are 4 F5 Networks LTM 6400's. these cost about 50k a pop list price, and they do some awesome, awesome things right at the heart of our data network. they are phsyically quad core x86 platforms, running a redhat derivative, and for load balancing and screwing about with tcp connections they are the absolute dogs... but they aren't a firewall and whilst they have heuristic "security" modules wanting to expose them to internet traffic is still a really dumb idea, and i'd be holding my breath as i left the office each day. a pair of decent hardware Cisco and Checkpoint firewalls in front of them, i'm happy that they'll be ok.

Last edited by acid_kewpie; 05-28-2007 at 03:52 PM.
 
Old 05-31-2007, 07:38 AM   #6
depam
Member
 
Registered: Sep 2005
Posts: 829

Original Poster
Rep: Reputation: 30
Thanks acid_kewpie. Nice to hear from you again. So you are saying that IPCop and customized linux firewall could not be compared with Cisco Pix/ASAs? What would be your suggestion? Is it really safe to use a linux firewall on a corporate environment or just spend MUCH money and buy stuffs that will give you the protection. IPCop seems nice and user-friendly but I haven't heard of it being compromised badly. I also haven't heard of anyone configured IPCop to run as a firewall on corporate environment. On a gateway i think.
 
Old 05-31-2007, 07:50 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
I'll say that my first hand knowledge and understanding on the real low level stuff i'm listing isn't as much as the accepted best practises / white paper side of things. coupled with that i've a postition where i'm an absolute linux zealot saying that you should give your money to a global conglomerate instead of the open source community, also odd. one thing Cisco will say is that cisco aren't a hardware company, they are a software company. they don't make firewall hardware, they develop the IOS code that runs upon it and such, and simply ask someone else to build a physical platform and then ship it. so where they are providing their good stuff, is code coded by smart guys, just like netfilter and co are software written by smart guys, but with sandals on.

in line with this though, the ethos that a device is as secure as the weakest link is going to hold true, and in the case of ipcop, ipcop's management framework is likely to be the weak point in a normal solution, and the netfilter subsystem isn't. remove that middleware and you're left with you vs netfilter, and on average it'll be you who "loses". the more you know about netfilter directly, then better and more secure your system is going to be. in a similar vein, i *never* use any of Cisco's crude web interfaces that the lesser skilled users tend to demand with their money.
 
Old 06-02-2007, 09:48 PM   #8
depam
Member
 
Registered: Sep 2005
Posts: 829

Original Poster
Rep: Reputation: 30
Thanks acid_kewpie. Very well said. I think I need to study and go deeper into netfilter. Thanks a lot.
 
  


Reply

Tags
firewall, router


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 06:12 AM
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
CentoOS router/firewall prob - local network works but router can't access Internet elementalvoid Linux - Networking 6 12-12-2006 04:39 PM
linux as router/gateway/firewall to dsl-router sjoerdvvu Linux - Networking 2 02-24-2006 11:56 PM
Mandrake Firewall/router networked to US Robotics 8000A router jrzplace Linux - Networking 0 11-17-2003 05:48 PM


All times are GMT -5. The time now is 10:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration