LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-23-2004, 02:39 PM   #1
saintbyrd
LQ Newbie
 
Registered: Jul 2003
Posts: 2

Rep: Reputation: 0
Linux Firewall or Appliances for more then small office


If this is an obvious topic and that's why I can't find good sources, my apologies.

Does anyone know how a firewall device performs compared to a linux system running iptables and doing bridging? (This is for webhosting type networks with a T1 - not too big, but not a business office ISDN line either).

I have experience with a GNAT box which is an okay firewall/NAT/Router appliance, but it's webinterface is lacking, and it'd be nice to have a box that I could ssh into, do advanced logging, sniffing or even mail scanning stuff. Now that I've used the Sentry Firewall distro to make a transparent bridge/firewall system, it seems like that's the way to go.

I assume that since just about every web page I find discussing this avenue are marred with the "For the small business" or "Office" that there's some real performance issue that puts it out of the question.

Note: I've read through (somewhat) Linux advanced routing and traffic control pages so that I know it's possible. I just haven't seen the cut and dry page that says that people "Should" build their own firewalls for medium internet businesses if their able, and here's a list of hardware that works well.

Can anyone help in this discussion, or point me to the definitive forum/website for people who'd rather use linux and spend time on the learning curve then big bucks on a proprietary interface that naturally has shortcomings?
 
Old 01-26-2004, 09:09 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Hmmm, you've kind of answered you question yourself..

The reason a custom solution is better is exactly as you have mentioned, lack of facilities...
You get the chance to add/remove whatever you like...

The downside of a custom solution, is it doing enough?
I would expect a company like Cisco to know what they are doing, which is why I install antivirus software and personal firewalls on workstations.
If I don't, I get to clear up the mess later...
So, Cisco & many others do know what they are doing, but do you know if it good enough??? Hmmm???

Without auditing their systems (do you know what to look for even?), it's a guess they are doing what you want...
So I like custom solutions, once I am sure I know what I am doing..
Until then, I recommend learning quickly, and the fastest tool is information, IDS logs, packet sniffers/loggers, firewall logs, proxy logs etc, & a good source of documentation.

I suggest you have a good look at the snort project, snort-inline and even hogwash to get an idea of how attacks are crafted and how to structure (many levels) protection.

As far as the speed is concerned, snort on a T1 wouldn't be a challenge.
It is quite processor heavy, which is why HogWash and others were developed.. but it handles much faster LANs than a T1 can feed data.

I personally favour the "inline" filters, (even if it's just for logging). They can be built as ethernet bridges so physical installation is a breeze..

Last edited by peter_robb; 01-26-2004 at 09:14 AM.
 
Old 01-26-2004, 10:48 AM   #3
saintbyrd
LQ Newbie
 
Registered: Jul 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks

Thanks for your reply...

It was a poorly formed question. I know how to monitor networks and stuff, but I have never really worried about performance because I was always in control of the environment. Now that I have to install solutions for customers, I was looking for the soothing HOWTO out there that fit my exact situation.

I guess that people who know enough to put a linux router in don't need to ask the question "Does it perform well" because they do the benchmarking.

For anyone else who has this question, I came across this site:
Linux Advanced Routing & Traffic Control

where they discuss (as you might expect) advanced stuff. And while there are some optimization threads in their mailing list, it's only for some heavy hitting stuff (gigabit networking and getting good throughput with thousands and thousands of iptables rules) - so I'm more then all set when talking about maintain some 500-600 lan/wan computers on a firewalled network and a dmz serving to the internet.

Also as a reference for anyone who thinks like I do (good luck) and doesn't find stuff quickly, it took me a long time to find out how to drop in a transparent firewall because I was looking for the wrong search terms.

Search on Transparent Bridge and Firewalling. In linux there's a cool brctl command that allows you to create a virtual network device while leaving two or more adapters in promiscous mode.

www.sentryfirewall.com is a good tool to solidify some network concepts that remain abstract until you actually put a box in and mess with your lan.
 
Old 01-26-2004, 11:36 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
What I like about that kind of setup is the ability to bridge & intercept ethernet frames as well as link them to an IP layer and filter with iptables at the same time...

I'm just sorting out proxying as a pass thru at the moment...

It Rocks...!!
 
Old 01-26-2004, 12:09 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
I don't think performance is a worry at all. Firewalls are typically limited by their bus speed and the speed of the NICs. Many enterprise firewall appliances are built on reletively low-end Celeron CPUs with not a lot of RAM (in the 128MB neigborhood).

The reason Linux firewalls are pegged as "Small Office/Home Office" is because of two things a) low cost b) low quality. Before everyone gets up in arms about point b, think about it. If it was so easy to just through a packet filter on a box and call it good, why didn't Sun do this a long time ago (actually, I hear they may have, but the fact that I've never seen it in a single data center is telling), why isn't Microsoft's ISA server better regarded? In fact, there are a few Linux-based commercial firewalls available, but none of them are rated very highly.

The fact is that years of research and developement go into firewalls and years of experience give a definite advantage. For you or I to come along and just write a firewall from scratch, there are bound to be errors and also many things that work, but could be done a lot better. That's what you buy when you get a commercial firewall, not just the features, but the history that company has put into the product and all the bugs and vulnerabilities they have already found and corrected. Also, the well respected hardware firewalls like PIX and Netscreen have the additional advantage of no moving parts (other than their fans), whereas you would have to put a lot of work into a PC-based firewall to remove harddrive, the reliance on a PSU fan, etc...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
New small office network help needed tazagul Linux - Networking 2 06-05-2005 10:35 AM
Visitors to my small office+Inventory sanw2k Programming 1 04-03-2005 05:06 PM
small office solution - need help hellblade Linux - Enterprise 2 11-23-2004 06:31 AM
Is Linux right for small office network? glenn69 Linux - Networking 1 07-30-2004 12:59 AM
networking small office Galorin Linux - Networking 9 05-08-2003 06:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration