Linux Firewall Vs Firewall Appliance
Can someone tell me which is better, to buy a firewall appliance or to setup a Linux Firewall? I've been using IPCop for almost a year now. Though I must admit that I don't fully understand security vulnerabilities nor do I know whether my IPCop box is strong enough to withstand intrusions. I am still confused whether to use a firewall appliance or setup a linux-based firewall. Which is better? Well, I suppose setting up a linux firewall is less expensive and even free. But what are the pros and cons? I mean other companies invest too much on hardware appliance such as Cisco and Nokia. What do they get from buying this expensive hardware when a linux firewall exists. Hope someone can shed me some light into this. Another question I've been asking is that how can I make my IPCop do snort inline? Is snort inline safe?
|
This is how I see it: both can give you basic firewall security.
The advantage a the blackbox-firewall (at least a consumer-grade one — i.e., not a cisco) is that they're made pretty idiot proof. You'd have to try hard to make yourself vulnerable. With a linux firewall, it would be rather easy to make yourself vulnerable (e.g., by leaving out one small yet crucial line or similar) especially if you don't know what's going on. On the other hand, a linux-based firewall (netfilter) is infinitely customizable compared to a store-bought one. For example, you can filter based on how often you see a potential attacker (with the recent module), detect and block portscans (psd module), use the TARPIT target to slow down zombies, mark packets from different protocols that will later be throttled with tc (you might want to give www browsing medium priority, p2p lower priority, and realtime protocols such as SIP or h323 higher priority), and a whole lot more things (basically, if you can think of it, it's probably doable. if it isn't, it is probably easy enough to code or get someone to code). Some of these things might be possible on the more expensive appliance-type firewalls, but there is clearly a flexibility advantage when using netfilter. NP later... |
Also if you buy a "hardware-firewall", it's a box which you use and that's pretty much it; it has a configuration tool of some kind, but updating it isn't probably the easiest thing to do. Updating iptables (or netfilter if you like) is probably much less a pain and if you consider how much iptables has grown in a short period of time, and how much hardware firewall boxes have, you can see the difference. It's just that, as osor said, with iptables you need to know what to do.
Another thing to think about is this: a hardware firewall box is a separate device and thus a bit less easier to break. If you had a Linux firewall that lied on one of your servers, cracking the server some way or other would let the cracker deal with the firewall too; this isn't the case with an external firewall. You can put your Linux firewall in a separate box, yes, but it's more expensive - and nevertheless it probably has more than just iptables installed, so it's got more breaking points than just the firewalling software. Hardware firewall boxes too have more in their software than just the firewall, but I believe (or actually hope) that they are better sealed from the beginning (again, you can make your Linux firewall box safer, but it takes some work). Shortly said, I see nothing that you could do with a Cisco firewall box or some other hardware box that you couldn't achieve with a Linux firewall; then again, most of the things you'll do with firewalls ask for (even much) more work on Linux than if you were using a hardware firewall. Both are surely breakable, it's just the question: how much money are you ready to pay for the safest solution, and how much time can you consume in getting it work? If configuring a Linux firewall takes a year and means buying new hardware, perhaps a lot, some think it's easier to just go to store and byu one of those "ready" boxes, plug it in, spend a day or two tweaking it's settings and let it roll. Like I said, it's just the question about time and money - and their relation. |
Looking at these posts, do you know that IPcop is a firewall distro, so its a hardware firewall and quite idiot proof unless you drop to the command line or forward the wrong port.
|
Quote:
Quote:
As far as you IPCOP goes you might want to run some test from behind it to see how secure. hackerwatch.org/probe/ |
All times are GMT -5. The time now is 01:06 PM. |