Posted on 2006-04-14
I am the Sys-Admin for a smallish Webhosting company and I am having a bit of a choice problem when it comes to a firewall/vpn/router.
My options are to go with a boxed hardware firewall/router (like a cisco 1041, watchguard X700, dlink DFL-1000, etc)
to go with a linux server + using iptables.
All my servers are in a DMZ, and I do NATing and port forwarding into the DMZ
(basically like i run mail on 1 server and web on another, so i would forward port 80 to server1 and port 25/110/143 to server2)
Here is my problem:
The hardware solution appeals to me more, because you are using a product which is designed for that exact purpose, it allowes us to manage our own bandwidth to each server, and the firewalling it nice and easy going, I believe it provides better IDS support than a linux box. But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.
The Linux solution, I can use iptables to obviously nat and pat traffic, but it just doesn't have the "stability" so call it of a boxed solution.
For example, a linux box can get hacked a lot quicker than most hardware firewall/routers.
Also bandwidth shaping on a linux box is a bit of a headache, and i always seem to have issues with it.
In you "expert" opinion, what would be the best solution to go with, and why?