While I agree that for an enterprise I would choose PIX over Linux
for firewall purposes, if your friends configured a Linux firewall and
ran other services on it, they may be good Linux admins but they
don't know much about security.
There is _no_ good reason to run unnecessary services on a
firewall. Period. Wintel hardware is too inexpensive to use any
argument that a box serving as a firewall needs to run DNS, FTP,
SMTP, etc.
The only service other than ipchains that a Linux firewall should run
is SSH. This gives you all the remote administration of the box
you need and makes the box very secure.
-Kent
On 23 Mar 2001, at 9:24, Rik wrote:
> I have seen way too many Linux firewalls hacked as a result of
> mis-administration. Now, I'm not assuming anything about your
> abilities as the last confirmed hack that I was notified about was a
> Linux FW setup by 2 guys that I know to be excellent Linux admins.
> The problem is the inherent nature of the beast. A PIX is totally
> secure right out of the box. The last Linux hack I speak of was
> hacked based on an exploit within BIND and had nothing to do with the
> FW policy.
>
> I also find the PIX to be MUCH easier to configure and setup. I can
> do in only a few lines of code what could possibly take pages and
> pages of code in Linux. When talking about firewalls, simplicity is a
> critically important concern. One compromise could easily remove any
> upfront cost advantage Linux has over Cisco. Also, you don't have to
> be concerned with shutting down unused services on a PIX as you would
> on Linux.
>
> Go with the PIX. It was designed from the ground up to do just what
> it does: protect your network. Cisco claims that a properly
> configured PIX has never been compromised. I believe them.
>
> Rik
>
>
> ""Sean Young"" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi Everyone,
> >
> > My company is putting me in charge in implementing a Firewall for
> > our company. One guy in my networking group is recommending PIX
> > Firewall. Furthermore, he also recommends a Cisco Web-caching
> > engine. His reason is that not only Cisco is good Firewall but it
> > also provides VPN connectivity to our remote sites. Myself, on the
> > other hand, would like to implement Linux-based OS firewall along
> > with FreeS/WAN VPN features set. My reason is that a linux firewall
> > can provide everything a Cisco PIX does and even more. In term of
> > hardware, the linux Firewall/ VPN/IPSec box will be running a
> > dual-processor (800MHz) with 1GB of RAM. I just feel that I can get
> > a lot more for the amount that we are going to spend with linux than
> > with Cisco PIX. I also feel that I tweak the source code on the
> > LINUX kernel to increase the performance and security. Also, instead
> > of purchasing the Cisco web-caching engine, I am thinking of
> > building another linux box that will be running squid (web-caching)
> > server. Don't get me wrong, I think Cisco has a lot of good
> > products in the area of routing; however, I just don't think it is
> > necessary to throw away money at Cisco when I know that Linux or BSD
> > can do the same job that PIX and Cisco web-caching engine do but for
> > much less and also I can control the source code. Has anyone has
> > experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco
> > web-caching engine so that you can give advice on what I should do.
> > I am open to your suggestions.
> >
> > Many thanks.
> > Sean
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> >
>
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]