Advantage of a hardware firewall like Netscreen vs. IP Tables

[TechBoyJK]

How much better can I protect my Linux server if I put a rackmount firewall like a Netscreen in front of it vs. just using IP tables? What other benefits will I get if I use a hardware firewall vs. just IPtables?

 

[spidey07]

Originally posted by: TechBoyJK
How much better can I protect my Linux server if I put a rackmount firewall like a Netscreen in front of it vs. just using IP tables? What other benefits will I get if I use a hardware firewall vs. just IPtables?

you'd be following good network design by using a hardware firewall.

1) Firewall does its job of firewalling
2) Server does its job of serving

Plus the firewall will be able to handle the "funny" applications like FTP, oracle, H.323, VPN. I don't know if IP chains can deal with applications that negotiate ports in the application layer (layer 7)

 

[spidey07]

hmm, all this time your doing researching has spent enough money to buy a really nice firewall and have it installed a month ago.



Also another advantage - support. When you have problems you can call somebody else and say "fix it" and you're back up in an hour vs. searching for days on the internet (which you might not have because your IPtables isn't working)

 

[Garion]

Actually, running a firewall on a classic server is pretty well known - Checkpoint made it's name as an app that was installed on NT and Solaris. Only in the last year or so have the non-server-based appliances come out and gotten popular.

The advantages of a dedicated appliance are many. First, they don't have an OS, so they don't have that level of vulnerability. Granted, a well-patched Linux box should be pretty safe, but not everyone aggressively keeps up with their patches.

Next, the boxes perform much better. The are custom-made to do ONE thing, and that's it. No legacy OS to get in the way, just fast performance.

Lastlly, I don't know about you, but I don't really like the idea of an open source firewall. If the guys in black can get the source to your firewall, they can pick through it and find any possible holes or ways to get around it. You're much better off with a commercial product that nobody sees the source to and that's rigorously tested by a company whose future depends on the box running fast, securely and stably.

- G

 

[TechBoyJK]

all great points. thanks! anybody else?

 

[Nothinman]

Plus the firewall will be able to handle the "funny" applications like FTP, oracle, H.323, VPN. I don't know if IP chains can deal with applications that negotiate ports in the application layer (layer 7)

There's a bunch of modules that add that functionality to iptables for atleast FTP and VPN protocols, I doubt you'd want oracle access to the Internet and I'm not sure about H.323.

Also another advantage - support. When you have problems you can call somebody else and say "fix it" and you're back up in an hour vs. searching for days on the internet (which you might not have because your IPtables isn't working)

Maybe I'm strange but my experience with support for anything has been bad, I've always been able or had to find the answer myself either before they could help me or because they wouldn't (unsupported config, etc.). I've heard really good things about Cisco support though, one of our networking guys even discovered a bug and got to work with the developer of the hardware/software to diagnose it.

The advantages of a dedicated appliance are many. First, they don't have an OS, so they don't have that level of vulnerability

They do so have an OS. What do you think the 'OS' in IOS means with regards to Cisco hardware? Infact I wouldn't be surprised if the Netscreen ran either a modified Linux or BSD kernel.

Next, the boxes perform much better. The are custom-made to do ONE thing, and that's it. No legacy OS to get in the way, just fast performance.

Debatable. Custom ASICs probably help but you can get a 2Ghz PC that will probably match or beat that pretty cheap.

Lastlly, I don't know about you, but I don't really like the idea of an open source firewall. If the guys in black can get the source to your firewall, they can pick through it and find any possible holes or ways to get around it.

I realize we're not talking about MS software here but in general closed source software scares me because I'm dependent on one company or person to find bugs in the software and issue a patch, with Open Software everyone has access so even if the blackhats do find problems chances are someone in a white or grey hat will too. Tons of CS college students and professionals work on Linux components and overall they seem to be doing a better job than the bigger closed companies like MS. I don't keep up on Netscreen or Cisco problems so I can't make a real security judgement on them, but from the Linux side 99% of the security releases are userland software that's 100% optional so IMO you can make a Linux firewall just as, or even more, secure as a Netscreen or PIX box.

Quickly looking a security focus, even without the source code people have managed to find some f'd up problems with the NetScreen ScreenOS.

http://www.securityfocus.com/bid/8033
http://www.securityfocus.com/bid/8032
http://www.securityfocus.com/bid/7042

To be fair I also see 2 netfilter/iptables problems this year:

http://www.securityfocus.com/bid/8330
http://www.securityfocus.com/bid/8331

I would highly recommend seperating the firewall from the server, but using Linux for both of them wouldn't be a bad thing IMO.

 

[envoy510]

Lastlly, I don't know about you, but I don't really like the idea of an open source firewall. If the guys in black can get the source to your firewall, they can pick through it and find any possible holes or ways to get around it. You're much better off with a commercial product that nobody sees the source to and that's rigorously tested by a company whose future depends on the box running fast, securely and stably.

Guessing that prospect might look a little better today, given the backdoor in ScreenOS. This is exactly the reason why using OSS in a firewall is a good idea.

 

[Red Squirrel]

A "hardware" firewall is just a computer running something like IP tables, pfsense etc, except it usually costs a lot of money.

I got my hands on a Netscreen years ago, it was a Pentium 3 Dell server, I put pfsense on it.

I also trust something open source and free like Pfsense than something commercial. TBH I would never have guessed that Netscreen would have a backdoor though... but I guess it just reinforces my point to not trust commercial closed source stuff to protect my network.

 

[sdifox]

Holy necro.