But now, there are many vendors come with pre-built firewall that I only have to configure it in 15 minutes (that what they say), and it works.
What are the different if I using RHL 8 as firewall, rather than using pre-built firewall. They say that the pre-built firewall come with hardened operating system, I think Linux already did.
Other people may want to add to (or delete from) this list, off the top of my head I'd go with:
Advantages of a consumer grade pre-built firewall:
1. Quick and easy to install.
2. Low maintenance. Most of them don't need a sysadmin at all.
3. High-tech looking packaging with lots of flashing lights.
4. Cheap.
5. Reasonably secure most of the time as long as you don't forward any connections to boxes on your internal network.
Advantages of a customized Linux firewall:
1. Features: just try to find a pre-built firewall with Socks support, a good caching proxy server, support for both 1 to many and 1 to 1 NAT at the same time, support for multiple parallel upstream paths, and multiple internal networks, and several different mutually incompatible virtual private networks. Such pre-built firewalls do exist, but they're usually running Linux.
2. Fine grain control and monitoring: netfilter gives you much more control than most packet filtering packages do (e.g. rules depending on the time of day, how busy the machine is, how much traffic there is of a specific kind, who owns a process generating traffic, etc.)
3. When (not if) security holes are discovered you can deal with them by patching software. You don't have to disconnect your network and cross your fingers hoping that Company X will decide to produce an updated firmware for your particular two-years-out-of-date firewall in the near future (if you don't think this is a problem, talk to somebody with a two year old SNMP managed switch. I've got a nice big rack-mount 10/100 switch made by HP that is essentially a several thousand dollar paperweight. I have found no indication from the manufacturer that they've even started working on an update to correct the SNMP security flaws which they've known about for well over a year at this point).
4. Speed. Most off the shelf firewall boxes are designed for use with consumer grade cable and DSL connections. The ones I've tried all tend to max out at between 2 and 6 mbps for traffic actually going through the packet filter. Higher end firewalls can handle more traffic, but they are MUCH more expensive (I'm used to seeing them for around $5000us and up) and tend to be neither quick to install nor low-maintenance.
5. Trust. Security through obscurity is a concept that has repeatedly been shown not to work. Closed source products provide manufacturers with opportunity to routinely gloss over serious design flaws, ignore security holes (until they hit the popular media) and include undocumented back doors that customers aren't aware of until it's too late. In contrast Linux allows you control over all the source code that goes into making your firewall, you can see exactly what it does, and you can check for yourself that it doesn't include serious known exploits or back doors. This is what free software is all about.
That's my list, and I'm sure you can guess which one I use most of the time.
p.s. With apologies to Richard Stallman, I know that there's rather more to Free Software than the security/auditing implications. Keep up the good work.
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
