hbrady
asked on
Linux vs Commercial Firewalls ?
I'm looking for any feedback from users who have done studies or research on why someone would buy a commercial Firewall product such as CheckPoint or Raptor rather than using a properly configured Linux server running ipchains and other firewall tools such as portsentry (http://www.psionic.com/abacus/portsentry/).
Any feedback would be appreciated.
Any feedback would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is still the issue of stateful firewalling which is an important technical issue.
Some protocols like RealAudio also needs to be specially handled if you want maximum security.
RealAudio establishes a tcp connection where the client and server exchanges information on which udp ports will be opened. The Cisco PIX firewall look for this exchange and then allocates ports for each client and modifies the packets sent to the server.
Most commercial firewalls also handles randomization of tcp sequence numbers to minimize the risk of spoofing. This would require a proxy service on a free linux setup.
Some protocols like RealAudio also needs to be specially handled if you want maximum security.
RealAudio establishes a tcp connection where the client and server exchanges information on which udp ports will be opened. The Cisco PIX firewall look for this exchange and then allocates ports for each client and modifies the packets sent to the server.
Most commercial firewalls also handles randomization of tcp sequence numbers to minimize the risk of spoofing. This would require a proxy service on a free linux setup.
I havent worked or seen a cisco to say that Unix/Linux is better. Ive read that Cisco's IOS can be much faster than a 'nix system.
That all depends on your knowledge and expertise on both.
What I would like to say, is that I have a FreeBSD router set up as my gateway to my dsl via PPPOE and It works everytime I boot up the system(not from crashing but testing).
I can say that given the right hardware configuration meaning, starting from the basics, disabling unused features of the bios, having a pentium II or III with 512 cache, 66 - 100mhz fronstside bus, and a 7200rpm harddrive, with anywhere from 256 to 1GB of ram, and creating a kernel that will ignore any unused or uneccessary services, can make a very fast kernel.
I really believe that someone out there can compile their kernel to be comparable to ciscos IOS, and of course with expertise in perl, C,C++, and or JAVA, they can design software to manage and controll firewall rules just as easily as a commercial vendor.
Of course, this is alot of work and limited to a few of us who either know how to do it, or want to follow the "hard path". In the long run it can be beneficial because you have full controll, and can avoid public exploits to your design, plus it can be a long term investment. My FreeBSD router, only runs at 33mhz, and my cpu is a 486 cyrix, with 32megs of ram. I have not ever seen any system, even my other linux machines with better hardware reply so fast to a ping to any remote or local machine.
On the other hand, not everyone has the time to invest into this From what I know, and understand, Cisco especializes in this, they put alot of time and effort in their product to make it simple for people to use.
I am all for UNIX/Linux, and I intend on figuring out an alternative to Cisco and other commercial vendors that will provide more than just a "Cheaper" solution, but is just a quick, and maybe even faster and robust than what Cisco has to offer.
That all depends on your knowledge and expertise on both.
What I would like to say, is that I have a FreeBSD router set up as my gateway to my dsl via PPPOE and It works everytime I boot up the system(not from crashing but testing).
I can say that given the right hardware configuration meaning, starting from the basics, disabling unused features of the bios, having a pentium II or III with 512 cache, 66 - 100mhz fronstside bus, and a 7200rpm harddrive, with anywhere from 256 to 1GB of ram, and creating a kernel that will ignore any unused or uneccessary services, can make a very fast kernel.
I really believe that someone out there can compile their kernel to be comparable to ciscos IOS, and of course with expertise in perl, C,C++, and or JAVA, they can design software to manage and controll firewall rules just as easily as a commercial vendor.
Of course, this is alot of work and limited to a few of us who either know how to do it, or want to follow the "hard path". In the long run it can be beneficial because you have full controll, and can avoid public exploits to your design, plus it can be a long term investment. My FreeBSD router, only runs at 33mhz, and my cpu is a 486 cyrix, with 32megs of ram. I have not ever seen any system, even my other linux machines with better hardware reply so fast to a ping to any remote or local machine.
On the other hand, not everyone has the time to invest into this From what I know, and understand, Cisco especializes in this, they put alot of time and effort in their product to make it simple for people to use.
I am all for UNIX/Linux, and I intend on figuring out an alternative to Cisco and other commercial vendors that will provide more than just a "Cheaper" solution, but is just a quick, and maybe even faster and robust than what Cisco has to offer.
ASKER
Cheap = Difficult
Expensive = Easy
Makes sense ! Thanks for the feedback.