On Fri, Aug 08, 2008 at 06:54:05PM -0500, patric conant wrote: > You strongly overestimate the value of your comments (3 cents), it seems > like there are many places more appropriate than this one for you to suggest > middle-of-the-road hardware running a proprietary OS that has among the > worst security records in the industry.
Oh, god, Cisco vs <anyone else, especially free solutions> seems to degenerate into things like this. IOS and IOS XR actually has quite a good security history - other Cisco software, no. If you doubt me, actually look at the security record - oh, and be careful not to just compare OpenBSD's "only 2 remote holes in the default install" vs IOS - many (most) of the IOS vulnerabilities are for things that haven't been enabled by default on recent IOS images. Cisco routers general purpose computer parts of their routers are "middle-of-the-road hardware" in speed; much (slow) embedded hardware is far more reliable than the 'PC' equivelant. Server hardware (you shouldn't run anything important on a PC -- use proper server hardware) + Linux/Solaris/NetBSD/FreeBSD/OpenBSD works well as a router and firewall. IOS on a Cisco router does as well. The *nix solution works well and is cheap, but in my experience it's still slightly less stable than the Cisco equivelant. More importantly in many ways, Cisco hardware is usually marginally more reliable (both are reliable) than server hardware. IOS, while a complete PITA, is easier to configure than plain *nix OSes for networking stuff - one does not have sprawling config files, and making a config change updates running-config, making it easy to save your changes; ip address 192.0.2.0 255.255.255.255;do wr m is much easier than ifconfig fxp0 192.0.2.0/24;vi /etc/hostname.fxp0;<edit>. It's also much less error prone, which is important. With things like Quagga/Zebra this advantage is eliminated, but both of those have problems far more frequently than IOS. IOS is a lot easier to upgrade than any *nix - just copy the image, reload. Downtime is short, though many of their routers boot slow. This *could* be changed (I'm thinking something along the lines of Solaris LU - but easier), but as of yet has not been. But, it's *much* cheaper, and PF is vastly better than IOS's firewall. Software routers struggle at high PPS; Cisco makes some nice hardware that can handle that. As does Juniper, and a few others.
