The subject heading is the question:
How is a Linux server more suited to protect a network vs. a hardware appliance from Sonicwall, Cisco, etc.

I've been asked to write something up on this, but I am only familiar with the Linux side of this question. Meaning I have some experience with iptables, but not with hardware appliances so it is hard for me to compare them. From what I have read so far Sonicwall has its own OS - don't know if that is good or bad or why. Another thread on LQ shed some light - mostly that Linux is more configurable vs. an appliance.
Any ideas?

Thanks in advance.

most firewall appliance run some form of linux. the difference is the software/hardware are optimized for use as a firewall. so feature wise you can do about the same or more with linux. problem is management, patches and how stripped down you can make the linux box. with security the more software and modules on a OS the more potential attack vectors. So if your going to an enterprise solution something from cisco, juniper or sonicwall might make sense. Small networks <250 nodes I would say go with what you know. If your a SME on Linux firewalls go for it. I would not mix uses for anything security related. Firewall, IDS, etc should all be dedicated nodes. You don't want your Firewall to also be your public web sever that would be bad.

good luck with your homework.

Use an appliance any time that you're not 100% sure that a software firewall is the best approach. If you knew enough to build an appropriate software-based firewall, you wouldn't have to ask.

The advantages of dedicated appliances:
- Hardware support from vendor
- Software support from vendor
- Usually some dedicated hardware acceleration for packet handling and/or inspection
- "deep" inspection (usefulness varies by vendor and protocol) to actually check packet payload for problems, vs. just looking at packet headers
- Built for reliability, i.e. passive cooling, very few moving parts, etc...
- Often has integration with monitoring software, or it's own on-board monitoring/reporting interfaces

Disadvantages of dedicated appliances:
- Can be more expensive if you can build and support your own with minimal labor
- Not as flexible for external integration (although typically there's not much you'd want to integrate with a firewall)
- You could experience more down-time if your firewall is a single point of failure, since with a software-based solution you could install it again on spare hardware should your primary go down (of course, you should build/buy two firewalls from the outset to provide High Availability)

The company I work for uses commercial appliances for all our production networks, and a mix of used appliances, and software-based firewalls for our non-production networks. In particular, we found a software-based approach best for our training and demonstration labs, since we don't have support contracts on our used appliances any way. If we have a failure with one of our hand-built boxes, we can just throw our USB flash drive on another box and boot it up instantly as a replacement. One of the things on my to-do list is to finish building out a second, identical firewall and add it as an active HA fail-over. That would cost $$$$$$$ from Cisco, but only costs us around $1000 in inventory and < $5000 in labor.

The heading is a very slightly different question (roughly: I've decided on Linux, now give me some facts to back it up) versus the body of the text (Compare and contrast...). Ignoring that...

If you buy an appliance, for a non-expert, it will probably be easier to configure than a Linux box. If you have sufficient expertise with iptables, then this doesn't really apply (and you can guarantee a long-term supply of people with the right skill set), but for many SMEs this can be the decisive argument. You can also get support, courses, etc, etc, which also help if you are not an expert.

Cisco/Bay/Juniper/etc may well be able to achieve a lower power consumption for a given level of performance than 'old server box, hacked about a bit plus linux (or bsd for that matter)', which will be important to some people, but for most they won't give a stuff compared to a lot of what goes on in the enterprise.

Also, if you count the state machine/conntrack functionality it is a very flexible and versatile system. Trouble is, some of this subsystem is a bit heavy on processing power and if you are using conntrack you can't really predict where you will end up without trying something out with your workload, etc. What this means, in practice, is that you don't build a Linux firewall box very closely sized for the right throughput; you build it for 'thats' bound to be enough throughput' i.e., size it a bit more generously and this adds to the computer power difference. Fortunately, given how cheap commodity computer hardware is these days, its not really a purchase price issue.

salasi, you made me realize I didn't ask the question very clearly.

I'm not saying I am building the box or making the decision which way to go. It has been decided by another party that a Linux box is the way to go and my job is to explain why. I am familiar with iptables and securing a Linux box, but I am having difficulty explaining why it is better than something I have no experience with (appliances).

That being said the replies so far have still given me some ammo, so thanks to all.

The biggest advantage of a Linux firewall over hardware solutions has got to be cost. This is generally the case even when support contracts and such are added in to the equation. As mentioned earlier it is also relatively inexpensive way to add redundancy by using clusters.

I've found that the flexibility of Linux firewalls are another relative strength. I use a modular bash script to run my rules that makes relatively easy to add and remove specific rules. This allows me to put repetitive rules into a loop, use variables and utilize the strengths inherent in a scripting language. I've also been able to deal with some very specialized network situations by using the Patch-o-Matic-ng.

One area I don't hear mentioned often is that Linux has a wide variety of network tools that can be very useful to a firewall admin. Linux makes it very easy to do things like packet captures that can be brought into WireShark for evaluation.

The flexibility also applies to the hardware itself. I can relatively easily scale up the system like add additional NICs for additional subnets or scale up the Server hardware for increased performance.

Lastly the availability of documentation for Linux is very useful. The only firewall equipment that comes close to having freely available documentation is Cisco gear. Most times when issues have come up I've found that my problem is not unique. Generally somebody, somewhere has had the issue before me and has documented their solution.

Hardware firewalls do have their advantages as well, so it's a matter of choosing the right tool for the job.

"Free" isn't always free, in fact it generally has a hefty, but difficult-to-quantify cost. Don't confused "hard to quantify" with "free of cost". The most expensive part of just about any application is the Full Time Employees to manage it. This is true of commercial applications as well as Open Source.

This is true, and one of the reasons we choose to build our own firewalls for some tasks where I work, but some times the extra flexibility afforded by Open Source-based firewalls just simply isn't needed. In that case, what's the point of paying (and you are paying, in labor costs) for a feature that you don't use? Just something to keep in mind...

This functionality is available in most commercial firewalls, in one way or another. There are, however, some uncommon ways you might want to interact with the traffic that are possible with Open Source tools that just aren't typical enough for commercial vendors to take the time to implement, so again this can be true, but not often.

This can be a major factor if you filter a huuuuuge amount of traffic. Going from the entry-level, to the "enterprise-grade" model in commercial appliance is often a matter of tacking on an extra 0 or two to the price tag. Doing so with commodity hardware usually only costs a few thousand dollars.

Red herring. All the commercial vendors have extensive documentation. Just because it's not available without a support account to login to their website in all cases doesn't mean it's non-existent. There are also tons of IT forums and mailing lists on the web that handle and archive questions for commercial applications, so there's the same level of "community" support as well.

In fact, recently I was trying to help one of my customers setup our e-mail security software and they were having a problem configuring their firewall correctly. I was able to go to the vendor's website (not Cisco, BTW), search for the model of the firewall, download the documentation, and walk the customer through configuring it in a matter of minutes. The documentation in that case was freely available without a support contract.

Open Source developers could take some pointers from commercial vendors on writing documentation. The vast majority of commercial documentation I've read has been pretty good. On the other hand, I find probably 80% of Linux-related documentation to be awful. It seems like most of the time is spent writing code, and documentation is a total after-thought.

I've had much better experiences with BSD documentation. This is probably also due to the fact that the BSD mentality is to build and support the whole OS, while Linux-based OSes are just the Linux kernel with a hodge-podge of third-party applications thrown in.

Not to nit-pick your reply in particular, but I think it's important to make decisions for the right reasons.

This seems an appropriate point (veering very slightly off topic, I hope you'll forgive me) to say that the iptables documentation at frozen tux http://iptables-tutorial.frozentux.net/ is really very good, if you want 'the manual'. A tutorial its not, so you'd probably want one of those too, if you were just starting out, but as a manual I think its peerless.

I agree documentation on linux firewalls is piecemeal at best. I like building my own firewalls, because it helps me understand the underlying technologies much better.

Don't recall mentioning free. I don't really have any corporate firewalls that are free including my linux firewalls. All are using supported hardware and a supported OS. The cost of the employees is a wash. Either solution needs those employees and on top of it isn't that hard to quantify. In fact we quantify those costs every time we propose a new firewall.


Not a red herring at all. One of the strengths I've found with linux and I'll add BSD as well is that finding information about very specific problems is often easier and cheaper than with dedicated hardware. This can be very important when things go bump in the night. General documentation is a whole separate thing. I would agree that the for basic day to day items that vendor documentation can be decent, but in the real world I've found that vendor documentation ranges from low-level and not very useful to excellent. I would add that this is something to consider when choosing a firewall.

This is VERY true and can be a huge consideration these days.

Free as in the OS, because buying a commercial product includes the hardware & OS/software in the overall price. Employee time is not a wash if you spend more time configuring/maintaining an OSS solution vs. a commercial one. Labor is nearly always going to be the biggest component of any project.

If you assume your network engineers are all proficient in OSS firewall construction/administration, then the time to administer an OSS solution vs. commercial might be the same, but I'll bet you have to pay a lot more for a sysadmin who can write his own firewall in iptables than you have to pay for someone who can configure a Pix/ASA.

You must be joking. I can Google just about anything related to Microsoft, Cisco, Sonicwall, etc and get an answer in the first page of results, and that's without even bothering to check the vendor-supplied documentation. There are way, way more companies out there using networking products from commercial vendors than there are building their own from scratch.

Also, the people who tend to post HOW-TOs for OSS stuff tend to be home-users, and their experiences are often irrelevant to enterprise configurations. The people who put together OSS-based networks for a living tend to not release the details, since it's done on company time.

Great point. I'd wager often times the adept OSS engineer would be more proficient, have a deeper understanding, and can bang out a fix much quicker.

I wish that was true, but I suspect it's quite the opposite. Most of these certified "router" engineers make tons of money, and don't necessarily dive down into the nitty gritty detail, like somebody who can manipulate netfilter directly.

An OSS engineer truly adept at writing iptables rules will most likely be smart enough to simply iptables by using a config tool like shorewall.

So true, and so disappointing. Why is that I wonder? True pretty much all how-to's are written by the home enthusiast. At least there is professional training information released, such as the IBM Linux training guides. It's a shame "professionals" only contribute by writing a book, to make some bucks. There are on occasion some really good how-to's released by people running production systems, but those seem to be getting fewer and fewer.

Hence, the price-tag. People who can build things rather than just run things command much higher salaries.

I've worked for vendors for the last 5 years and I've been to a ton of different companies. The highest-paid non-managers are always the ones who can build stuff; companies do not tend to let these type of people leave easily. On the other hand, people who are Microsoft/Cisco/<insert major vendor here> certified are a dime a dozen--there are so many out there, replacing them is pretty painless.

Remember a few years ago when Microsoft was really making a lot of noise about the TCO of Microsoft vs. Linux, this is one of the biggest points they made (and it's valid).

You're getting a CCIE confused with a a CCNA, they're completely different. CCIEs are few and far between, and every one of them that I've ever met was a near genius--trust me, that is not an easy certification to obtain. CCNA on the other hand, you can get at any two-bit community college. Most of the guys running firewalls in your typical company are merely CCNA.

Because it's the home-enthusiasts without demanding jobs that have the time to tinker for hours on end with their own systems, and then have the time to write about it.

People who actually have to do this stuff for a living are way too busy to write about it, plus their work is often considered "company secrets" and whether it really is a secret or not, most employees are rightfully a bit timid to post work-related information without permission.

There are a few categories of professionals who do post their work regularly, particularly employees who have evangelism as part of their job description (e.g. IBM architects), or consultants who want to provide evidence of their skill to attract business.

Any way, it basically boils down to: If you're already paying someone to be really smart and build things, they might as well go ahead and build a firewall since they can. If you're just trying to squeeze your budget by doing as many things yourself as you can, trying to write your own firewall is probably not the best way to do that.

In my experience (and referencing past discussions with coworkers), the main reason is because companies tend to claim intellectual property rights over any solution that an employee implements. I've heard more than one rant by a coworker about the company trying to 'neuter' or 'screw' them. One person actually is a FOSS developer. The company went after him when it was discovered that he'd released his project to the masses, nevermind that he didn't divulge any company knowledge. Several others want to do the same but aren't willing to be hounded by the corporation.

And it doesn't often matter about the size of the company either. This happened when the company was small. It was later bought by a HUGE provider. The buyer had the same policy.

I have used both Sonicwall tz170w,tz180w and Netscreens ssg 5 and ssg20
at home i have a tz170w and a netscreen ssg5.
I have been playing with firewall distros constantly. For some reason i keep going back to PF Sense 1.2

i mostly use the hardware routers for wireless since its built in. I guess its just fun to use a distro and learn another linux or BSD firewall. It keeps my mind fresh.
It really depends on if you have a budget to stick by and how many people this will service. I just have around 3 to 4 pcs at a time at home on my lan.
i need wireless at home for my laptop that i use for work.
i have tested monowall, endian smoothwall express and a few others.