Re: Router with security features

From: Bennett Todd (
Date: 10/11/01

Date: Thu, 11 Oct 2001 13:17:19 -0400
From: Bennett Todd <>
To: "Brumariu, Radu" <>
Subject: Re: Router with security features
Message-ID: <>

2001-10-10-14:54:10 Brumariu, Radu:
> Basically, I have a small set of servers (5-6) which I would like to
> be protected via a firewall( or a set of them).
> Most of the network traffic is going among these servers. some mail,
> web and ssh are supposed to go outside this small network.

Sounds like you want them to chat with each other on a switch, and
put a firewall between the switch and the outside.

> Now, to clarify my question : would a pc box running linux
> (bastille linux for example ) be as good ( read fast and reliable
> ) as a Cisco/3com/nortel/other product ? Would buying a cisco & co
> product prove to be just an unecessary expenditure?

That's a very very difficult question. In the limit, either one
can be better or worse. You can match the hardware qualities of
a commercial router or firewall appliance by building a suitable
PC, with no moving media, configured to boot off flash and run out
of RAM. That's a fairly significant engineering expenditure. If
you confine yourself to mainstream off-the-shelf solutions, the
appliances enjoy an edge in reliability from lack of moving parts.

That said, that edge can be pretty nearly compensated for by e.g.
hardware mirroring a pair of drives, with a third as a warm spare,
in hot-swap carriers. I think Dell can ship a rackmount package that
looks like that (not positive about the hot-swap carrier).

But these differences in hardware reliability are likely to be
completely overwhelmed by other issues.

I'd recommend making a first stab at deciding the issue by focusing
on your available in-house expertise. Do you have folks who speak
IOS fluently? If so, and if they advise that IOS's expressiveness is
up to implementing the policy you wish to enforce (sounds to me like
it is), then you're gonna have a real fight to make a PC running a
Unix-like OS do better. Contrariwise, if you've got Linux or other
good OS experience in house and lack IOS expertise, you're liable to
get better service out of the Unix firewall/router.