Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Can someone tell me which is better, to buy a firewall appliance or to setup a Linux Firewall? I've been using IPCop for almost a year now. Though I must admit that I don't fully understand security vulnerabilities nor do I know whether my IPCop box is strong enough to withstand intrusions. I am still confused whether to use a firewall appliance or setup a linux-based firewall. Which is better? Well, I suppose setting up a linux firewall is less expensive and even free. But what are the pros and cons? I mean other companies invest too much on hardware appliance such as Cisco and Nokia. What do they get from buying this expensive hardware when a linux firewall exists. Hope someone can shed me some light into this. Another question I've been asking is that how can I make my IPCop do snort inline? Is snort inline safe?
This is how I see it: both can give you basic firewall security.
The advantage a the blackbox-firewall (at least a consumer-grade one — i.e., not a cisco) is that they're made pretty idiot proof. You'd have to try hard to make yourself vulnerable. With a linux firewall, it would be rather easy to make yourself vulnerable (e.g., by leaving out one small yet crucial line or similar) especially if you don't know what's going on.
On the other hand, a linux-based firewall (netfilter) is infinitely customizable compared to a store-bought one. For example, you can filter based on how often you see a potential attacker (with the recent module), detect and block portscans (psd module), use the TARPIT target to slow down zombies, mark packets from different protocols that will later be throttled with tc (you might want to give www browsing medium priority, p2p lower priority, and realtime protocols such as SIP or h323 higher priority), and a whole lot more things (basically, if you can think of it, it's probably doable. if it isn't, it is probably easy enough to code or get someone to code). Some of these things might be possible on the more expensive appliance-type firewalls, but there is clearly a flexibility advantage when using netfilter.
Also if you buy a "hardware-firewall", it's a box which you use and that's pretty much it; it has a configuration tool of some kind, but updating it isn't probably the easiest thing to do. Updating iptables (or netfilter if you like) is probably much less a pain and if you consider how much iptables has grown in a short period of time, and how much hardware firewall boxes have, you can see the difference. It's just that, as osor said, with iptables you need to know what to do.
Another thing to think about is this: a hardware firewall box is a separate device and thus a bit less easier to break. If you had a Linux firewall that lied on one of your servers, cracking the server some way or other would let the cracker deal with the firewall too; this isn't the case with an external firewall. You can put your Linux firewall in a separate box, yes, but it's more expensive - and nevertheless it probably has more than just iptables installed, so it's got more breaking points than just the firewalling software. Hardware firewall boxes too have more in their software than just the firewall, but I believe (or actually hope) that they are better sealed from the beginning (again, you can make your Linux firewall box safer, but it takes some work).
Shortly said, I see nothing that you could do with a Cisco firewall box or some other hardware box that you couldn't achieve with a Linux firewall; then again, most of the things you'll do with firewalls ask for (even much) more work on Linux than if you were using a hardware firewall. Both are surely breakable, it's just the question: how much money are you ready to pay for the safest solution, and how much time can you consume in getting it work? If configuring a Linux firewall takes a year and means buying new hardware, perhaps a lot, some think it's easier to just go to store and byu one of those "ready" boxes, plug it in, spend a day or two tweaking it's settings and let it roll.
Like I said, it's just the question about time and money - and their relation.
Can someone tell me which is better, to buy a firewall appliance or to setup a Linux Firewall?
I think they both have their pros and cons. A build your own firewall could be totally free, but the setup and configuration is time consuming. On the other hand the pre-built firewall is expensive (not to mention the sky high annual support and upgrade fees some have) but fairly easy to setup.
Originally Posted by depam
I've been using IPCop for almost a year now. Though I must admit that I don't fully understand security vulnerabilities nor do I know whether my IPCop box is strong enough to withstand intrusions. I am still confused whether to use a firewall appliance or setup a linux-based firewall.
I would suggest getting a couple of books on securing linux. Or just look around the net for configs on securing IPCOP. I have been working for a couple of weeks on setting up a firewall for my company. I was leaning toward purchasing a pre-built until I found that none will do everything I want it too. So, I figured I would "try" and build my own. I am currently testing it from home before plugging in at the office. I have found there to be plenty of info on setting up your own, not to mention great sites like linuxquestions.org. On the other hand a pre-built firewall usually comes with some sort of tech support so you really don't have to know a lot.
As far as you IPCOP goes you might want to run some test from behind it to see how secure. hackerwatch.org/probe/