Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-20-2006, 08:23 AM   #1
Registered: Sep 2005
Posts: 851

Rep: Reputation: 30
Linux Firewall Vs Firewall Appliance

Can someone tell me which is better, to buy a firewall appliance or to setup a Linux Firewall? I've been using IPCop for almost a year now. Though I must admit that I don't fully understand security vulnerabilities nor do I know whether my IPCop box is strong enough to withstand intrusions. I am still confused whether to use a firewall appliance or setup a linux-based firewall. Which is better? Well, I suppose setting up a linux firewall is less expensive and even free. But what are the pros and cons? I mean other companies invest too much on hardware appliance such as Cisco and Nokia. What do they get from buying this expensive hardware when a linux firewall exists. Hope someone can shed me some light into this. Another question I've been asking is that how can I make my IPCop do snort inline? Is snort inline safe?
Old 11-20-2006, 12:30 PM   #2
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 76
This is how I see it: both can give you basic firewall security.

The advantage a the blackbox-firewall (at least a consumer-grade one i.e., not a cisco) is that they're made pretty idiot proof. You'd have to try hard to make yourself vulnerable. With a linux firewall, it would be rather easy to make yourself vulnerable (e.g., by leaving out one small yet crucial line or similar) especially if you don't know what's going on.

On the other hand, a linux-based firewall (netfilter) is infinitely customizable compared to a store-bought one. For example, you can filter based on how often you see a potential attacker (with the recent module), detect and block portscans (psd module), use the TARPIT target to slow down zombies, mark packets from different protocols that will later be throttled with tc (you might want to give www browsing medium priority, p2p lower priority, and realtime protocols such as SIP or h323 higher priority), and a whole lot more things (basically, if you can think of it, it's probably doable. if it isn't, it is probably easy enough to code or get someone to code). Some of these things might be possible on the more expensive appliance-type firewalls, but there is clearly a flexibility advantage when using netfilter.

NP later...
Old 11-20-2006, 12:55 PM   #3
LQ Guru
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Also if you buy a "hardware-firewall", it's a box which you use and that's pretty much it; it has a configuration tool of some kind, but updating it isn't probably the easiest thing to do. Updating iptables (or netfilter if you like) is probably much less a pain and if you consider how much iptables has grown in a short period of time, and how much hardware firewall boxes have, you can see the difference. It's just that, as osor said, with iptables you need to know what to do.

Another thing to think about is this: a hardware firewall box is a separate device and thus a bit less easier to break. If you had a Linux firewall that lied on one of your servers, cracking the server some way or other would let the cracker deal with the firewall too; this isn't the case with an external firewall. You can put your Linux firewall in a separate box, yes, but it's more expensive - and nevertheless it probably has more than just iptables installed, so it's got more breaking points than just the firewalling software. Hardware firewall boxes too have more in their software than just the firewall, but I believe (or actually hope) that they are better sealed from the beginning (again, you can make your Linux firewall box safer, but it takes some work).

Shortly said, I see nothing that you could do with a Cisco firewall box or some other hardware box that you couldn't achieve with a Linux firewall; then again, most of the things you'll do with firewalls ask for (even much) more work on Linux than if you were using a hardware firewall. Both are surely breakable, it's just the question: how much money are you ready to pay for the safest solution, and how much time can you consume in getting it work? If configuring a Linux firewall takes a year and means buying new hardware, perhaps a lot, some think it's easier to just go to store and byu one of those "ready" boxes, plug it in, spend a day or two tweaking it's settings and let it roll.

Like I said, it's just the question about time and money - and their relation.
Old 11-20-2006, 02:27 PM   #4
Registered: Jul 2006
Distribution: Debian Testing
Posts: 299

Rep: Reputation: 30
Looking at these posts, do you know that IPcop is a firewall distro, so its a hardware firewall and quite idiot proof unless you drop to the command line or forward the wrong port.
Old 11-20-2006, 02:55 PM   #5
LQ Newbie
Registered: Nov 2006
Distribution: Debian Etch
Posts: 8

Rep: Reputation: 0
Originally Posted by depam
Can someone tell me which is better, to buy a firewall appliance or to setup a Linux Firewall?
I think they both have their pros and cons. A build your own firewall could be totally free, but the setup and configuration is time consuming. On the other hand the pre-built firewall is expensive (not to mention the sky high annual support and upgrade fees some have) but fairly easy to setup.

Originally Posted by depam
I've been using IPCop for almost a year now. Though I must admit that I don't fully understand security vulnerabilities nor do I know whether my IPCop box is strong enough to withstand intrusions. I am still confused whether to use a firewall appliance or setup a linux-based firewall.
I would suggest getting a couple of books on securing linux. Or just look around the net for configs on securing IPCOP. I have been working for a couple of weeks on setting up a firewall for my company. I was leaning toward purchasing a pre-built until I found that none will do everything I want it too. So, I figured I would "try" and build my own. I am currently testing it from home before plugging in at the office. I have found there to be plenty of info on setting up your own, not to mention great sites like On the other hand a pre-built firewall usually comes with some sort of tech support so you really don't have to know a lot.

As far as you IPCOP goes you might want to run some test from behind it to see how secure.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 08:38 AM
router billion 5102 has firewall and software firewall tests aus9 Linux - Security 6 12-31-2006 11:09 PM
Linksys & Firewall for Webserver Appliance bluefish1 Linux - Networking 8 04-07-2004 10:53 AM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration