How much better can I protect my Linux server if I put a rackmount firewall like a Netscreen in front of it vs. just using IP tables? What other benefits will I get if I use a hardware firewall vs. just IPtables?
Advantage of a hardware firewall like Netscreen vs. IP Tables
- Thread starter TechBoyJK
- Start date
- Status
you'd be following good network design by using a hardware firewall.
1) Firewall does its job of firewalling
2) Server does its job of serving
Plus the firewall will be able to handle the "funny" applications like FTP, oracle, H.323, VPN. I don't know if IP chains can deal with applications that negotiate ports in the application layer (layer 7)
hmm, all this time your doing researching has spent enough money to buy a really nice firewall and have it installed a month ago.
Also another advantage - support. When you have problems you can call somebody else and say "fix it" and you're back up in an hour vs. searching for days on the internet (which you might not have because your IPtables isn't working)
Also another advantage - support. When you have problems you can call somebody else and say "fix it" and you're back up in an hour vs. searching for days on the internet (which you might not have because your IPtables isn't working)
Garion
Platinum Member
- Apr 23, 2001
- 2,331
- 7
- 81
Actually, running a firewall on a classic server is pretty well known - Checkpoint made it's name as an app that was installed on NT and Solaris. Only in the last year or so have the non-server-based appliances come out and gotten popular.
The advantages of a dedicated appliance are many. First, they don't have an OS, so they don't have that level of vulnerability. Granted, a well-patched Linux box should be pretty safe, but not everyone aggressively keeps up with their patches.
Next, the boxes perform much better. The are custom-made to do ONE thing, and that's it. No legacy OS to get in the way, just fast performance.
Lastlly, I don't know about you, but I don't really like the idea of an open source firewall. If the guys in black can get the source to your firewall, they can pick through it and find any possible holes or ways to get around it. You're much better off with a commercial product that nobody sees the source to and that's rigorously tested by a company whose future depends on the box running fast, securely and stably.
- G
The advantages of a dedicated appliance are many. First, they don't have an OS, so they don't have that level of vulnerability. Granted, a well-patched Linux box should be pretty safe, but not everyone aggressively keeps up with their patches.
Next, the boxes perform much better. The are custom-made to do ONE thing, and that's it. No legacy OS to get in the way, just fast performance.
Lastlly, I don't know about you, but I don't really like the idea of an open source firewall. If the guys in black can get the source to your firewall, they can pick through it and find any possible holes or ways to get around it. You're much better off with a commercial product that nobody sees the source to and that's rigorously tested by a company whose future depends on the box running fast, securely and stably.
- G
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
There's a bunch of modules that add that functionality to iptables for atleast FTP and VPN protocols, I doubt you'd want oracle access to the Internet and I'm not sure about H.323.
Maybe I'm strange but my experience with support for anything has been bad, I've always been able or had to find the answer myself either before they could help me or because they wouldn't (unsupported config, etc.). I've heard really good things about Cisco support though, one of our networking guys even discovered a bug and got to work with the developer of the hardware/software to diagnose it.
They do so have an OS. What do you think the 'OS' in IOS means with regards to Cisco hardware? Infact I wouldn't be surprised if the Netscreen ran either a modified Linux or BSD kernel.
Debatable. Custom ASICs probably help but you can get a 2Ghz PC that will probably match or beat that pretty cheap.
I realize we're not talking about MS software here but in general closed source software scares me because I'm dependent on one company or person to find bugs in the software and issue a patch, with Open Software everyone has access so even if the blackhats do find problems chances are someone in a white or grey hat will too. Tons of CS college students and professionals work on Linux components and overall they seem to be doing a better job than the bigger closed companies like MS. I don't keep up on Netscreen or Cisco problems so I can't make a real security judgement on them, but from the Linux side 99% of the security releases are userland software that's 100% optional so IMO you can make a Linux firewall just as, or even more, secure as a Netscreen or PIX box.
Quickly looking a security focus, even without the source code people have managed to find some f'd up problems with the NetScreen ScreenOS.
http://www.securityfocus.com/bid/8033
http://www.securityfocus.com/bid/8032
http://www.securityfocus.com/bid/7042
To be fair I also see 2 netfilter/iptables problems this year:
http://www.securityfocus.com/bid/8330
http://www.securityfocus.com/bid/8331
I would highly recommend seperating the firewall from the server, but using Linux for both of them wouldn't be a bad thing IMO.
Guessing that prospect might look a little better today, given the backdoor in ScreenOS. This is exactly the reason why using OSS in a firewall is a good idea.
Red Squirrel
No Lifer
A "hardware" firewall is just a computer running something like IP tables, pfsense etc, except it usually costs a lot of money.
I got my hands on a Netscreen years ago, it was a Pentium 3 Dell server, I put pfsense on it.
I also trust something open source and free like Pfsense than something commercial. TBH I would never have guessed that Netscreen would have a backdoor though... but I guess it just reinforces my point to not trust commercial closed source stuff to protect my network.
I got my hands on a Netscreen years ago, it was a Pentium 3 Dell server, I put pfsense on it.
I also trust something open source and free like Pfsense than something commercial. TBH I would never have guessed that Netscreen would have a backdoor though... but I guess it just reinforces my point to not trust commercial closed source stuff to protect my network.
- Status
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter