Linux vs Commercial Firewalls ?

Posted on 1999-11-02
Medium Priority
Last Modified: 2010-03-18
I'm looking for any feedback from users who have done studies or research on why someone would buy a commercial Firewall product such as CheckPoint or Raptor rather than using a properly configured Linux server running ipchains and other firewall tools such as portsentry (http://www.psionic.com/abacus/portsentry/).

Any feedback would be appreciated.

Question by:hbrady
  • 2

Accepted Solution

svindler earned 30 total points
ID: 2178453
AFAIK there are no free firewalls that have state information. This makes it hard to support udp and icmp based protocols, without opening up a range of ports.
The management software is generally more user friendly on the commercial firewalls. This can be an issue, as most users only reconfigure the firewall up to a few times each year, maybe even only once in the firewalls lifetime.
Third party software to analyze log files is more easily found for the commercial packages.
It is still easier to find people with experience on the commercial firewalls.
The vendors provide courses to give you indepth knowledge of security issues and how to deal with them using the firewall.
Some of the commercial firewalls have management software that can handle hundreds of firewalls using a network centric view instead of a firewall centric view.

Author Comment

ID: 2180104
So the long and short of it is :

Cheap = Difficult
Expensive = Easy

Makes sense !  Thanks for the feedback.

Expert Comment

ID: 2180136
There is still the issue of stateful firewalling which is an important technical issue.
Some protocols like RealAudio also needs to be specially handled if you want maximum security.
RealAudio establishes a tcp connection where the client and server exchanges information on which udp ports will be opened. The Cisco PIX firewall look for this exchange and then allocates ports for each client and modifies the packets sent to the server.
Most commercial firewalls also handles randomization of tcp sequence numbers to minimize the risk of spoofing. This would require a proxy service on a free linux setup.

Expert Comment

ID: 7527453
I havent worked or seen a cisco to say that Unix/Linux is better. Ive read that Cisco's IOS can be much faster than a 'nix system.

That all depends on your knowledge and expertise on both.

What I would like to say, is that I have a FreeBSD router set up as my gateway to my dsl via PPPOE and It works everytime I boot up the system(not from crashing but testing).

I can say that given the right hardware configuration meaning, starting from the basics, disabling unused features of the bios, having a pentium II or III with 512 cache, 66 - 100mhz fronstside bus, and a 7200rpm harddrive, with anywhere from 256 to 1GB of ram, and creating a kernel that will ignore any unused or uneccessary services, can make a very fast kernel.

I really believe that someone out there can compile their kernel to be comparable to ciscos IOS, and of course with expertise in perl, C,C++, and or JAVA, they can design software to manage and controll firewall rules just as easily as a commercial vendor.

Of course, this is alot of work and limited to a few of us who either know how to do it, or want to follow the "hard path".  In the long run it can be beneficial because you have full controll, and can avoid public exploits to your design, plus it can be a long term investment.  My FreeBSD router, only runs at 33mhz, and my cpu is a 486 cyrix, with 32megs of ram. I have not ever seen any system, even my other linux machines with better hardware reply so fast to a ping to any remote or local machine.

On the other hand, not everyone has the time to invest into this From what I know, and understand, Cisco especializes in this, they put alot of time and effort in their product to make it simple for people to use.

I am all for UNIX/Linux, and I intend on figuring out an alternative to Cisco and other commercial vendors that will provide more than just a "Cheaper"  solution, but is just a quick, and maybe even faster and robust than what Cisco has to offer.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Through the video, you can check the migration process of Outlook PST file to PDF. Kernel for Outlook to PDF tool can convert Outlook emails with all attributes like Subject, To, From, Cc, Bcc and other folders such as Inbox, Outbox, Sent Items, Jun…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question