Linux vs Commercial Firewalls ?

I'm looking for any feedback from users who have done studies or research on why someone would buy a commercial Firewall product such as CheckPoint or Raptor rather than using a properly configured Linux server running ipchains and other firewall tools such as portsentry (http://www.psionic.com/abacus/portsentry/).

Any feedback would be appreciated.

LVL 1
hbradyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

svindlerCommented:
AFAIK there are no free firewalls that have state information. This makes it hard to support udp and icmp based protocols, without opening up a range of ports.
The management software is generally more user friendly on the commercial firewalls. This can be an issue, as most users only reconfigure the firewall up to a few times each year, maybe even only once in the firewalls lifetime.
Third party software to analyze log files is more easily found for the commercial packages.
It is still easier to find people with experience on the commercial firewalls.
The vendors provide courses to give you indepth knowledge of security issues and how to deal with them using the firewall.
Some of the commercial firewalls have management software that can handle hundreds of firewalls using a network centric view instead of a firewall centric view.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hbradyAuthor Commented:
So the long and short of it is :

Cheap = Difficult
Expensive = Easy

Makes sense !  Thanks for the feedback.
0
svindlerCommented:
There is still the issue of stateful firewalling which is an important technical issue.
Some protocols like RealAudio also needs to be specially handled if you want maximum security.
RealAudio establishes a tcp connection where the client and server exchanges information on which udp ports will be opened. The Cisco PIX firewall look for this exchange and then allocates ports for each client and modifies the packets sent to the server.
Most commercial firewalls also handles randomization of tcp sequence numbers to minimize the risk of spoofing. This would require a proxy service on a free linux setup.
0
DarXTudenTCommented:
I havent worked or seen a cisco to say that Unix/Linux is better. Ive read that Cisco's IOS can be much faster than a 'nix system.

That all depends on your knowledge and expertise on both.

What I would like to say, is that I have a FreeBSD router set up as my gateway to my dsl via PPPOE and It works everytime I boot up the system(not from crashing but testing).

I can say that given the right hardware configuration meaning, starting from the basics, disabling unused features of the bios, having a pentium II or III with 512 cache, 66 - 100mhz fronstside bus, and a 7200rpm harddrive, with anywhere from 256 to 1GB of ram, and creating a kernel that will ignore any unused or uneccessary services, can make a very fast kernel.

I really believe that someone out there can compile their kernel to be comparable to ciscos IOS, and of course with expertise in perl, C,C++, and or JAVA, they can design software to manage and controll firewall rules just as easily as a commercial vendor.

Of course, this is alot of work and limited to a few of us who either know how to do it, or want to follow the "hard path".  In the long run it can be beneficial because you have full controll, and can avoid public exploits to your design, plus it can be a long term investment.  My FreeBSD router, only runs at 33mhz, and my cpu is a 486 cyrix, with 32megs of ram. I have not ever seen any system, even my other linux machines with better hardware reply so fast to a ping to any remote or local machine.
 

On the other hand, not everyone has the time to invest into this From what I know, and understand, Cisco especializes in this, they put alot of time and effort in their product to make it simple for people to use.

I am all for UNIX/Linux, and I intend on figuring out an alternative to Cisco and other commercial vendors that will provide more than just a "Cheaper"  solution, but is just a quick, and maybe even faster and robust than what Cisco has to offer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.