Re: Router with security features

From: Bennett Todd (bet@rahul.net)
Date: 10/11/01


Date: Thu, 11 Oct 2001 13:17:19 -0400
From: Bennett Todd <bet@rahul.net>
To: "Brumariu, Radu" <radu@missouri.edu>
Subject: Re: Router with security features
Message-ID: <20011011131719.H16471@rahul.net>


2001-10-10-14:54:10 Brumariu, Radu:
> Basically, I have a small set of servers (5-6) which I would like to
> be protected via a firewall( or a set of them).
> Most of the network traffic is going among these servers. some mail,
> web and ssh are supposed to go outside this small network.

Sounds like you want them to chat with each other on a switch, and
put a firewall between the switch and the outside.

> Now, to clarify my question : would a pc box running linux
> (bastille linux for example ) be as good ( read fast and reliable
> ) as a Cisco/3com/nortel/other product ? Would buying a cisco & co
> product prove to be just an unecessary expenditure?

That's a very very difficult question. In the limit, either one
can be better or worse. You can match the hardware qualities of
a commercial router or firewall appliance by building a suitable
PC, with no moving media, configured to boot off flash and run out
of RAM. That's a fairly significant engineering expenditure. If
you confine yourself to mainstream off-the-shelf solutions, the
appliances enjoy an edge in reliability from lack of moving parts.

That said, that edge can be pretty nearly compensated for by e.g.
hardware mirroring a pair of drives, with a third as a warm spare,
in hot-swap carriers. I think Dell can ship a rackmount package that
looks like that (not positive about the hot-swap carrier).

But these differences in hardware reliability are likely to be
completely overwhelmed by other issues.

I'd recommend making a first stab at deciding the issue by focusing
on your available in-house expertise. Do you have folks who speak
IOS fluently? If so, and if they advise that IOS's expressiveness is
up to implementing the policy you wish to enforce (sounds to me like
it is), then you're gonna have a real fight to make a PC running a
Unix-like OS do better. Contrariwise, if you've got Linux or other
good OS experience in house and lack IOS expertise, you're liable to
get better service out of the Unix firewall/router.

-Bennett






Relevant Pages

  • Re: firewall opinions
    ... > configure the firewall (hardware or software) to stop every conceivable ... residents started this year, only one was a returning resident, all the ... As part of our overall solution we installed a Linksys BEFSX41 router (NAT ...
    (microsoft.public.windowsxp.general)
  • Re: firewall opinions
    ... ideal router configuration. ... the purpose of LeakTest is Not to test various ports (e.g. ... least the user had a chance to stop it, which a hardware router would ... >>configure the firewall to stop every conceivable ...
    (microsoft.public.windowsxp.general)
  • Re: Help In network configuration.
    ... port of a router. ... 2] I will run a cable from Internal Port of router to the ... external port of firewall. ... Servers Switch. ...
    (microsoft.public.win2000.networking)
  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • Re: Linux firewall vs Windows and Hardware based firewalls
    ... > What are the advantages of a linux firewall over something like Windows ... or even a hardware based firewall. ... down to the bare minimums and run *just* a router. ...
    (Debian-User)