From: Ken Diliberto (ken@kdmd.net)
Date: Fri Aug 05 2005 - 00:15:06 GMT-3
John,
Having used the PIX, Raptor and AV (commercial Unix based), IPTables and
IPChains (Linux), IPF (Solaris, OpenBSD and FreeBSD) and PF (OpenBSD and
FreeBSD) firewalls, I'd pick OpenBSD running PF for a firewall over the
others almost any day. OpenBSD is stable and can have almost all the
features of the others if you can invest some effort. Want a proxy?
Add Squid. Want IDS? Install Snort. Both at no extra charge.
You can substitute Linux with IPTables for OpenBSD if you like. It's a
stable platform and will do the same things, just in a slightly
different way. I'm not much of a Linux fan - more of a BSD zealot. But
I don't resent Linux or its supporters - just not my preferred platform.
In a fairly vanilla environment, Linux boxes will route just as well as
a dedicated router in the same price range. The down side to a Linux
box is bandwidth and some of the fancy features you find in dedicated
routers. Comparing a $1000 PC running Linux with a 3550 with EMI
feature set, you'll find the 3550 a much faster box, but at a much
greater price tag. Compare a Linux box with GigE interfaces plugged in
to a switch compared to a similar router, I think you'll find the price
to performance ratio favoring the Linux box by a long shot. Need a
routing protocol on your Linux box? GateD and Zebra have been around
for a long time. I know with Zebra you get RIP 1&2, OSPF and BGP. Even
IPv6 variants. Zebra even feels like IOS.
So let me ask you:
What's wrong with a Linux box as a router?
What's wrong with a Linux box as a firewall?
I've gone 'round and 'round with TAC on issues with dedicated routers
and not received a satisfactory resolution, so I don't buy the "you get
Cisco standing behind their routers" argument unless you're a very big
customer that pays a lot of money in support. I've pointed out problems
with open source software and been very satisfied with the free support
from the authors and other users. YMMV.
Some useful links:
http://lartc.org/howto/
http://www.openbsd.org/
http://www.benzedrine.cx/pf.html
Ken
Sheahan, John wrote:
> Recently there have been several articles in the recent IT magazines and
> online talking about how open source routers and firewalls are the
> future.
>
> I have had several arguments with unix geeks about why we shouldn't use
> these over Cisco devices in production scenarios.
>
> There is apparently a growing project called XORP that is developing
> open source code which can currently route OSPF and BGP on a PC.
>
> I am trying to develop a list of good reasons to help diffuse this line
> of thinking. I know the router code isn't prime time yet but apparently
> the firewall code for Linux is.
>
> Can anyone help me come up with some good reasons why not to use the
> open source firewall on Linux over a Pix or Checkpoint firewall?
>
>
>
> Thanks
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3