From: Church, Chuck (cchurch@netcogov.com)
Date: Fri Aug 05 2005 - 01:30:46 GMT-3
Ken,
Your argument for firewall makes sense. Being able to add proxy
and IDS for free are compelling. But for a router, I don't quite see an
advantage in using a *NIX box. A $1000 PC isn't going to have a
redundant power supply. Pretty much need to jump to a server-platform
PC to get that. Redundant hard drives add cost too. Still, the
motherboard is another single point of failure. Pretty soon, you're
looking at a $5000+ machine. You can do a pair of PCs, but will *NIX
support HSRP, VRRP, or GLBP? How about the routing protocol extensions
that NSF uses, such as OSPF sub-second hellos?
So maybe with multiple PCs, you can get greater uptime. But
what about QoS support? Being able to do linerate policing, shaping,
and ACLs at gigabit speed is important in most converged networks these
days.
Also, what about device failure? A router dies somehow, you get
a new one overnighted, paste your config back in, and you're back in
business. How long does it take to build a new linux router? Certainly
the engineer's time in building a box has to factor into the cost.
Security-wise, I think that leans in Cisco's favor too. Any
time a new vulnerability is found, Cisco is pretty good about letting
people know work-arounds and usually has a patched IOS available in a
few days. Just some food for thought...
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 864-266-3978
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ken Diliberto
Sent: Thursday, August 04, 2005 11:15 PM
To: Sheahan, John; ccielab@groupstudy.com
Subject: Re: OT- Open Source Networking Devices
John,
Having used the PIX, Raptor and AV (commercial Unix based), IPTables and
IPChains (Linux), IPF (Solaris, OpenBSD and FreeBSD) and PF (OpenBSD and
FreeBSD) firewalls, I'd pick OpenBSD running PF for a firewall over the
others almost any day. OpenBSD is stable and can have almost all the
features of the others if you can invest some effort. Want a proxy?
Add Squid. Want IDS? Install Snort. Both at no extra charge.
You can substitute Linux with IPTables for OpenBSD if you like. It's a
stable platform and will do the same things, just in a slightly
different way. I'm not much of a Linux fan - more of a BSD zealot. But
I don't resent Linux or its supporters - just not my preferred platform.
In a fairly vanilla environment, Linux boxes will route just as well as
a dedicated router in the same price range. The down side to a Linux
box is bandwidth and some of the fancy features you find in dedicated
routers. Comparing a $1000 PC running Linux with a 3550 with EMI
feature set, you'll find the 3550 a much faster box, but at a much
greater price tag. Compare a Linux box with GigE interfaces plugged in
to a switch compared to a similar router, I think you'll find the price
to performance ratio favoring the Linux box by a long shot. Need a
routing protocol on your Linux box? GateD and Zebra have been around
for a long time. I know with Zebra you get RIP 1&2, OSPF and BGP. Even
IPv6 variants. Zebra even feels like IOS.
So let me ask you:
What's wrong with a Linux box as a router?
What's wrong with a Linux box as a firewall?
I've gone 'round and 'round with TAC on issues with dedicated routers
and not received a satisfactory resolution, so I don't buy the "you get
Cisco standing behind their routers" argument unless you're a very big
customer that pays a lot of money in support. I've pointed out problems
with open source software and been very satisfied with the free support
from the authors and other users. YMMV.
Some useful links:
http://lartc.org/howto/
http://www.openbsd.org/
http://www.benzedrine.cx/pf.html
Ken
Sheahan, John wrote:
> Recently there have been several articles in the recent IT magazines
and
> online talking about how open source routers and firewalls are the
> future.
>
> I have had several arguments with unix geeks about why we shouldn't
use
> these over Cisco devices in production scenarios.
>
> There is apparently a growing project called XORP that is developing
> open source code which can currently route OSPF and BGP on a PC.
>
> I am trying to develop a list of good reasons to help diffuse this
line
> of thinking. I know the router code isn't prime time yet but
apparently
> the firewall code for Linux is.
>
> Can anyone help me come up with some good reasons why not to use the
> open source firewall on Linux over a Pix or Checkpoint firewall?
>
>
>
> Thanks
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3