how a Linux server is more suited to protect a network vs. a hardware appliance
The subject heading is the question:
How is a Linux server more suited to protect a network vs. a hardware appliance from Sonicwall, Cisco, etc. I've been asked to write something up on this, but I am only familiar with the Linux side of this question. Meaning I have some experience with iptables, but not with hardware appliances so it is hard for me to compare them. From what I have read so far Sonicwall has its own OS - don't know if that is good or bad or why. Another thread on LQ shed some light - mostly that Linux is more configurable vs. an appliance. Any ideas? Thanks in advance. |
most firewall appliance run some form of linux. the difference is the software/hardware are optimized for use as a firewall. so feature wise you can do about the same or more with linux. problem is management, patches and how stripped down you can make the linux box. with security the more software and modules on a OS the more potential attack vectors. So if your going to an enterprise solution something from cisco, juniper or sonicwall might make sense. Small networks <250 nodes I would say go with what you know. If your a SME on Linux firewalls go for it. I would not mix uses for anything security related. Firewall, IDS, etc should all be dedicated nodes. You don't want your Firewall to also be your public web sever that would be bad.
good luck with your homework. |
Use an appliance any time that you're not 100% sure that a software firewall is the best approach. If you knew enough to build an appropriate software-based firewall, you wouldn't have to ask.
The advantages of dedicated appliances: - Hardware support from vendor - Software support from vendor - Usually some dedicated hardware acceleration for packet handling and/or inspection - "deep" inspection (usefulness varies by vendor and protocol) to actually check packet payload for problems, vs. just looking at packet headers - Built for reliability, i.e. passive cooling, very few moving parts, etc... - Often has integration with monitoring software, or it's own on-board monitoring/reporting interfaces Disadvantages of dedicated appliances: - Can be more expensive if you can build and support your own with minimal labor - Not as flexible for external integration (although typically there's not much you'd want to integrate with a firewall) - You could experience more down-time if your firewall is a single point of failure, since with a software-based solution you could install it again on spare hardware should your primary go down (of course, you should build/buy two firewalls from the outset to provide High Availability) The company I work for uses commercial appliances for all our production networks, and a mix of used appliances, and software-based firewalls for our non-production networks. In particular, we found a software-based approach best for our training and demonstration labs, since we don't have support contracts on our used appliances any way. If we have a failure with one of our hand-built boxes, we can just throw our USB flash drive on another box and boot it up instantly as a replacement. One of the things on my to-do list is to finish building out a second, identical firewall and add it as an active HA fail-over. That would cost $$$$$$$ from Cisco, but only costs us around $1000 in inventory and < $5000 in labor. |
Quote:
If you buy an appliance, for a non-expert, it will probably be easier to configure than a Linux box. If you have sufficient expertise with iptables, then this doesn't really apply (and you can guarantee a long-term supply of people with the right skill set), but for many SMEs this can be the decisive argument. You can also get support, courses, etc, etc, which also help if you are not an expert. Cisco/Bay/Juniper/etc may well be able to achieve a lower power consumption for a given level of performance than 'old server box, hacked about a bit plus linux (or bsd for that matter)', which will be important to some people, but for most they won't give a stuff compared to a lot of what goes on in the enterprise. Also, if you count the state machine/conntrack functionality it is a very flexible and versatile system. Trouble is, some of this subsystem is a bit heavy on processing power and if you are using conntrack you can't really predict where you will end up without trying something out with your workload, etc. What this means, in practice, is that you don't build a Linux firewall box very closely sized for the right throughput; you build it for 'thats' bound to be enough throughput' i.e., size it a bit more generously and this adds to the computer power difference. Fortunately, given how cheap commodity computer hardware is these days, its not really a purchase price issue. |
salasi, you made me realize I didn't ask the question very clearly.
I'm not saying I am building the box or making the decision which way to go. It has been decided by another party that a Linux box is the way to go and my job is to explain why. I am familiar with iptables and securing a Linux box, but I am having difficulty explaining why it is better than something I have no experience with (appliances). That being said the replies so far have still given me some ammo, so thanks to all. |
The biggest advantage of a Linux firewall over hardware solutions has got to be cost. This is generally the case even when support contracts and such are added in to the equation. As mentioned earlier it is also relatively inexpensive way to add redundancy by using clusters.
I've found that the flexibility of Linux firewalls are another relative strength. I use a modular bash script to run my rules that makes relatively easy to add and remove specific rules. This allows me to put repetitive rules into a loop, use variables and utilize the strengths inherent in a scripting language. I've also been able to deal with some very specialized network situations by using the Patch-o-Matic-ng. One area I don't hear mentioned often is that Linux has a wide variety of network tools that can be very useful to a firewall admin. Linux makes it very easy to do things like packet captures that can be brought into WireShark for evaluation. The flexibility also applies to the hardware itself. I can relatively easily scale up the system like add additional NICs for additional subnets or scale up the Server hardware for increased performance. Lastly the availability of documentation for Linux is very useful. The only firewall equipment that comes close to having freely available documentation is Cisco gear. Most times when issues have come up I've found that my problem is not unique. Generally somebody, somewhere has had the issue before me and has documented their solution. Hardware firewalls do have their advantages as well, so it's a matter of choosing the right tool for the job. |
Quote:
Quote:
Quote:
Quote:
Quote:
In fact, recently I was trying to help one of my customers setup our e-mail security software and they were having a problem configuring their firewall correctly. I was able to go to the vendor's website (not Cisco, BTW), search for the model of the firewall, download the documentation, and walk the customer through configuring it in a matter of minutes. The documentation in that case was freely available without a support contract. Open Source developers could take some pointers from commercial vendors on writing documentation. The vast majority of commercial documentation I've read has been pretty good. On the other hand, I find probably 80% of Linux-related documentation to be awful. It seems like most of the time is spent writing code, and documentation is a total after-thought. I've had much better experiences with BSD documentation. This is probably also due to the fact that the BSD mentality is to build and support the whole OS, while Linux-based OSes are just the Linux kernel with a hodge-podge of third-party applications thrown in. Not to nit-pick your reply in particular, but I think it's important to make decisions for the right reasons. |
Quote:
|
I agree documentation on linux firewalls is piecemeal at best. I like building my own firewalls, because it helps me understand the underlying technologies much better.
|
Quote:
Quote:
Not a red herring at all. One of the strengths I've found with linux and I'll add BSD as well is that finding information about very specific problems is often easier and cheaper than with dedicated hardware. This can be very important when things go bump in the night. General documentation is a whole separate thing. I would agree that the for basic day to day items that vendor documentation can be decent, but in the real world I've found that vendor documentation ranges from low-level and not very useful to excellent. I would add that this is something to consider when choosing a firewall. Quote:
|
Quote:
If you assume your network engineers are all proficient in OSS firewall construction/administration, then the time to administer an OSS solution vs. commercial might be the same, but I'll bet you have to pay a lot more for a sysadmin who can write his own firewall in iptables than you have to pay for someone who can configure a Pix/ASA. Quote:
Also, the people who tend to post HOW-TOs for OSS stuff tend to be home-users, and their experiences are often irrelevant to enterprise configurations. The people who put together OSS-based networks for a living tend to not release the details, since it's done on company time. |
Quote:
Quote:
An OSS engineer truly adept at writing iptables rules will most likely be smart enough to simply iptables by using a config tool like shorewall. Quote:
|
Quote:
I've worked for vendors for the last 5 years and I've been to a ton of different companies. The highest-paid non-managers are always the ones who can build stuff; companies do not tend to let these type of people leave easily. On the other hand, people who are Microsoft/Cisco/<insert major vendor here> certified are a dime a dozen--there are so many out there, replacing them is pretty painless. Remember a few years ago when Microsoft was really making a lot of noise about the TCO of Microsoft vs. Linux, this is one of the biggest points they made (and it's valid). Quote:
Quote:
People who actually have to do this stuff for a living are way too busy to write about it, plus their work is often considered "company secrets" and whether it really is a secret or not, most employees are rightfully a bit timid to post work-related information without permission. There are a few categories of professionals who do post their work regularly, particularly employees who have evangelism as part of their job description (e.g. IBM architects), or consultants who want to provide evidence of their skill to attract business. Any way, it basically boils down to: If you're already paying someone to be really smart and build things, they might as well go ahead and build a firewall since they can. If you're just trying to squeeze your budget by doing as many things yourself as you can, trying to write your own firewall is probably not the best way to do that. |
Quote:
And it doesn't often matter about the size of the company either. This happened when the company was small. It was later bought by a HUGE provider. The buyer had the same policy. |
I have used both Sonicwall tz170w,tz180w and Netscreens ssg 5 and ssg20
at home i have a tz170w and a netscreen ssg5. I have been playing with firewall distros constantly. For some reason i keep going back to PF Sense 1.2 i mostly use the hardware routers for wireless since its built in. I guess its just fun to use a distro and learn another linux or BSD firewall. It keeps my mind fresh. It really depends on if you have a budget to stick by and how many people this will service. I just have around 3 to 4 pcs at a time at home on my lan. i need wireless at home for my laptop that i use for work. i have tested monowall, endian smoothwall express and a few others. |
All times are GMT -5. The time now is 02:01 PM. |