RE: Performance Comparision between Linux OS Firewall and Cisco PIX 525
But that just proves my point - you *can't* setup DNS server on a PIX, so it becomes a non-issue with a PIX. Besides, I think everybody I know has done something that they know not to be the best thing but do it because it is a quick and easy solution. Don't get me wrong - I like Linux. The real problem I see with network security is not so much technology, but with human nature. The PIX by design removes many of the holes that human nature can drag us into. A simple case of less is more. Rik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 24, 2001 11:02 PM To: [EMAIL PROTECTED]; Rik Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 While I agree that for an enterprise I would choose PIX over Linux for firewall purposes, if your friends configured a Linux firewall and ran other services on it, they may be good Linux admins but they don't know much about security. There is _no_ good reason to run unnecessary services on a firewall. Period. Wintel hardware is too inexpensive to use any argument that a box serving as a firewall needs to run DNS, FTP, SMTP, etc. The only service other than ipchains that a Linux firewall should run is SSH. This gives you all the remote administration of the box you need and makes the box very secure. -Kent On 23 Mar 2001, at 9:24, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto res
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. If the Linux firewall is properly setup, the only services running on it are ipchains and SSH. This means that you have to be aware of 2 services. While there could always be a local exploit, if only trusted admins have access, the trouble with keeping up patches is minimal. It is certainly no more trouble than keeping up with bugs on a vendor platform. Cisco and companies such as Watch Guard closely guard their source code, often you can elect to take on a maintenance contract with the firewall where you recieve all the latest fixes for a 12 month period (this is what we did). As this is their bread and butter, they spend a lot of time looking for holes and fixes to known bugs. While true, this doesn't mean that their code will have fewer bugs or that the bugs will be patched quicker. There is a very large support community for Linux th
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall. Your reason is based purely on FUD (Fear, Uncertainty and Doubt). Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux fire
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Sigh...inline comments: - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 2:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? VPN, dial-up modem, terminal server, ACLs, etc. If they find your password or someone knows it get in, does IDS tell you? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. See above answer. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? No guarantee but it's claimed to have never been compromised unless the attacker had inside access (physical, vpn, etc) and knew the password and the user was careless enough to not implement ACL. On the other hand, read up on security on Linux for yourself. Redhat was the #1 hacked operating system (even surpassed Windows last I read). Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall. I read that part. Thats why I said root or sudo access allows a user to install other services. A Cisco IOS does not. It's easy to add a new service if you have access to do it. You can even install via ftp. Your reason is based purely on FUD (Fear, Uncertainty and Doubt). It's based on 12 years experience and working as security administrator at an ISP where we've had many DSL users complain about their Linux boxes being hacked. Some find out they've been hacked after someone on the internet had reports of porn sites running on their compromised system. Users who purchased a PIX and allowed us to manage it have not been hacked even one time so far. I ain't skeered ;) I was trying to let you know the vulnerabilities you might have and allow you to take precautions. If you're going to be that way about it, you can learn on your own the hard way when you have to fly out there to fix a compromised system or failed hard drive. From your reply you either didn't read my reply carefully or didn't even understand it. Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco.
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
One more thing I forgot to mention. If compromised ( it has to be from inside because outside interface cannot be used to connect), all they can do to a PIX is mess up your config or add some lines. However, with TACACS+ AAA authentication you can even limit what commands they can execute. If the config is messed up, just dial in and copy the config from the tftp server again. - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 2:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall. Your reason is based purely on FUD (Fear, Uncertainty and Doubt). Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these ho
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Yeah after reading all the reviews I found that FreeBSD, OpenBSD, and Slackware were among the most secure least hacked. - Original Message - From: "Brian" [EMAIL PROTECTED] To: "Allen May" [EMAIL PROTECTED] Cc: "Sean Young" [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 3:08 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 If you at all consider the computer based firewall solution, openbsd is worth at least a look. Bri On Mon, 26 Mar 2001, Allen May wrote: Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. If the Linux firewall is properly setup, the only services running on it are ipchains and SSH. Thi
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Sigh...inline comments From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:55:57 -0600 Sigh...inline comments: - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 2:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? VPN, dial-up modem, terminal server, ACLs, etc. If they find your password or someone knows it get in, does IDS tell you? Dial-up modem. Istn't there a war-dialer that can hack your system. Another thing, isn't the VPN also has a public interface as well? what about if your VPN has been compromised? Ever thought about that? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. See above answer. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? No guarantee but it's claimed to have never been compromised unless the attacker had inside access (physical, vpn, etc) and knew the password and the user was careless enough to not implement ACL. On the other hand, read up on security on Linux for yourself. Redhat was the #1 hacked operating system (even surpassed Windows last I read). Ever heard of Linux Router Project. What make you think that I am running RedHat? Ever heard of NetBSD? It is even more secure than PIX Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall I read that part. Thats why I said root or sudo access allows a user to install other services. A Cisco IOS does not. It's easy to add a new service if you have access to do it. You can even install via ftp. Now how do you plan getting my root password? Your reason is based purely on FUD (Fear, Uncertainty and Doubt). It's based on 12 years experience and working as security administrator at an ISP where we've had many DSL users complain about their Linux boxes being hacked. Some find out they've been hacked after someone on the internet had reports of porn sites running on their compromised system. Users who purchased a PIX and allowed us to manage it have not been hacked even one time so far. That is because they don't know what they are doing. How do you know that Cisco PIX doesn't have any security holes. Did you read about Cisco IOS devices having security regarding ISN security hole in it? What make you think that PIX doesn't have this problem? Based on what the vendors tell you? I would take their word with a grain of salt. I ain't skeered ;) I was trying to let you know the vulnerabilities you might have and allow you to take precautions. If you're going to be that way about it, you can learn on your own the hard way when you have to fly out there to fix a compromised system or failed hard drive. From your reply you either didn't read my reply carefully or didn't even understand it. Every systems has it good and bad. It is up to us to decide. If I am educated about Linux and its capabilities and limitation, I think the system can be a very effective Firewall. Just my 2 cents. Sean Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure th
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
There are a few ways to go about this. 1)You can run a stripped down (running minimal and only required services) Linux box serving only SSH connections and you can use that machine to login into your PIX (allowing your PIX to only accept connections from this SSH server) and perform administration. 2) Or...you can just run the PIX and I think you can also run a TACACS+ server with it to authenticate encrypted passwords and logins, or run encryption on the PIX itself. I could be mistaken, but I know something like that would probably work best. But the thing that people have to understand is, that *no one* can absolutely guarantee that anything can't be compromised. It will always be a 99.999% chance that it will be secure. It all depends on how the firewall you choose is set up. Anything is breakable. But in my opinion, I would recommend running a hardware firewall solution such as the PIX or equivalent because the device is specifically made to run the firewalling processes. Unlike a Linux/Unix/NT box with a software-based firewall system such as Checkpoint, etc. a hardware solution does not have the OS overhead with services that firewalling does not require and also exploits and patches that you need to constantly be up to date about, issues that others have already mentioned. It just comes down to how much money you want to spend and also what you prefer. I may prefer the Cisco PIX, but I have friends that recommend a home-grown Unix box solution. Just trying to help, Roger - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 12:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall. Your reason is based purely on FUD (Fear, Uncertainty and Doubt). Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying t
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
OK this is messed up. I sent you a list of possible things that could happen and you're still going off on me. I was trying to allow you to make precautions against this stuff but you're going nuts here. I don't want an argument, I'm trying to help. I LIKE Linux. More inline comments (hopefully the last). - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 3:19 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Sigh...inline comments From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:55:57 -0600 Sigh...inline comments: - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 2:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? VPN, dial-up modem, terminal server, ACLs, etc. If they find your password or someone knows it get in, does IDS tell you? Dial-up modem. Istn't there a war-dialer that can hack your system. Another thing, isn't the VPN also has a public interface as well? what about if your VPN has been compromised? Ever thought about that? I'm a security administrator. Of course I've thought of that. 1) No it does not have a public interface. It has a virtual IP with only vpn ports opened to it. ACL only allows certain source IP's to even access it. You have to have username/password just to get into VPN and even then, TACACS+ or RADIUS limits the commands you can type from that point. It's an added layer of security that they have to get passed before even being able to SSH or telnet to the firewall. This forces them to have 3 username/password combinations and get through ACL without disabling the account they're trying to use. This is simply another layer of security you would have. 2) War dialers don't do any good when it's AAA-authentication with TACACS+. The account is disabled after X attempts. See following comment about IDS as well. Besides, why use that argument when you've got SSH wide open to the entire internet? Also how are they going to get your phone #? Same way they would have to get the password. Again, another layer of security I simply suggested. 3) IDS tells me when a VPN user establishes a connection with the firewall when configured. That's what I said in the first email. If you have it, set it up to notify you even of successful attempts. It's another layer of security you could possibly use instead of just SSH enabled to the world. Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. See above answer. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? No guarantee but it's claimed to have never been compromised unless the attacker had inside access (physical, vpn, etc) and knew the password and the user was careless enough to not implement ACL. On the other hand, read up on security on Linux for yourself. Redhat was the #1 hacked operating system (even surpassed Windows last I read). Ever heard of Linux Router Project. What make you think that I am running RedHat? Ever heard of NetBSD? It is even more secure than PIX I mentioned vulnerabilites in Redhat as an example not knowing what you were using. Regardless, it's a full blown OS that when compromised, someone can install any service they like. Please send the link stating it's more secure than PIX. I want to see how someone can install a packet sniffer on a PIX when they know my password. Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall I read that part. Thats why I said root or sudo access allows a user to install other services. A Cisco IOS does not. It's easy to add a new service if you have access to do it. You can even install via ftp. Now how do you plan getting my root password? I'm not. But it's easy. You the only one that knows it? Is it written down somewhere? It's amazing what disgruntled employees would do for a nice little check from an outside source. That's a risk involved with any operating system or piece of hardware. However, with ACL allowing certa
RE: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Inline comment -Original Message- From: Sean Young [mailto:[EMAIL PROTECTED]] Sent: Monday, March 26, 2001 4:20 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 That is because they don't know what they are doing. How do you know that Cisco PIX doesn't have any security holes. Did you read about Cisco IOS devices having security regarding ISN security hole in it? What make you think that PIX doesn't have this problem? Based on what the vendors tell you? I would take their word with a grain of salt. The PIX is based on a completely different codebase than Cisco's IOS. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Sean, Do you also allow telnet (or SSH) to your edge routers? If not then how do you do remote admin. If so.. well, never mind. In the case of not being able to connect to the PIX from the outside, well I have been doing remote admin on networks with a PIX, which by the way did not allow any connections to it from the outside till SSH came along, for many years. There are things like VPNs and remote access dial-ups to the private side. You guys are going over some stupid and none valid points to prove your point... Bottom line, if you know how to properly set up a Linux firewall, great. You have a very powerfull tool at a very low price (almost free!) If you are an enterprise, which makes money (and I mean real money, and not your typical mom and pop) with their infrastructure, one would be a fool to implement a Linux firewall. Something that is standards based and you can call many firms for support and is backed by a company with it's balls on the line for their products is the way to go. Lets forget the technical is this better or taht and look at the business logic (technical issues seem to never be solved!) I would rather implement Cisco because, I know when the person who set it up leaves there are MANY people out there, a phone call away, that can hop in and make the needed changes. They don't have to ask what ver of Linux I'm running, they don't have to look and see which of many firewall (and router) apps are being used... There is one common language which the PIX is configured in. Also, your Linux box is only as good as the hardware you run it on... There aren't many cheap boxes with the same MTBF as teh PIXs (or Nokia's or any enterprise class FW.) Moe. --- Allen May [EMAIL PROTECTED] wrote: One more thing I forgot to mention. If compromised ( it has to be from inside because outside interface cannot be used to connect), all they can do to a PIX is mess up your config or add some lines. However, with TACACS+ AAA authentication you can even limit what commands they can execute. If the config is messed up, just dial in and copy the config from the tftp server again. - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, March 26, 2001 2:42 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Allen, If SSH service is not open on the outside interface, how do you expect to troubleshoot the problem when there is problem with the Firewall? Tell me this, how can you troubleshoot a PIX remotely when there is problem? My employer is certainly not going to fly me out-of-state to fix a minor problem. Furthermore, can you absolutely guarantee me, in writing, that the Cisco PIX can never be compromised? Another thing, what makes you think that I am also running other services besides Firewall features on Linux. If you read my email carefully, you also notice that I only SSH and netfilter (aka iptables) on the Firewall. Your reason is based purely on FUD (Fear, Uncertainty and Doubt). Sean From: "Allen May" [EMAIL PROTECTED] To: "Sean Young" [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Mon, 26 Mar 2001 14:29:34 -0600 Is the outside interface still open to SSH connections? If so it's compromised, Linux is a full blown operating system that, when compromised, can have ANY program designed for Linux installed. Can you imagine something like a packet analyzer grabbing all your passwords and sending them out over the net to someone else? Ewww. That's my #1 reason for going with something like a PIX. Just make sure you're IDS is set to notify even in the event of a SUCCESSFUL connection. I've seen people who set it up for unsuccessful attempts only. I hope that guy wasn't fired BECAUSE he recommended the Cisco solution. That's totally a matter of point of view on that decision his wasn't wrong..neither was the Linux choice. Some situations call for one while others call for the other. Oh and keep a copy of the correctly configured drive with all settings on hand. A hard drive is much more prone to failure than RAM/ROM just due to the moving parts involved. Allen - Original Message - From: "Sean Young" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Sunday, March 25, 2001 3:05 PM Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. If the Linux firewall is properly setup, the only services running on it are ipchains and SSH. This means that you have to be aware of 2 services. While there could always be a local exploit, if only trusted admins have access, the trouble with keeping up patches is minimal. It is certainly no more trouble than keeping up with bugs on a vendor platform. Cisco and companies such as Watch Guard closely guard their source code, often you can elect to take on a maintenance contract with the firewall where you recieve all the latest fixes for a 12 month period (this is what we did). As this is their bread and butter, they spend a lot of time looking for holes and fixes to known bugs. While true, this doesn't mean that their code will have fewer bugs or that the bugs will be patched quicker. There is a very large support community for Linux that is very technical. Most bugs are patched in a matter of days, sometimes hours. the main plus for each of the commercial packages is that there is large support base, where as skilled Linux admin staff who can lock down a firewall are very few and far between. This is simply not true. There is a very large community of Linux developers and admins, and most of them are very knowledgable. There are good mailing lists and _plenty_ of good Linux security/firewall books, articles, web sites, etc. available. Locking down a Linux box is not rocket science. That is FUD that is propagated by vendors who want to sell product. It's not hard to configure a Linux box to be secure, the difficulty comes in running lots of services and providing access to users. If you have a box that runs web, ftp, smtp, nfs, etc., then it becomes much harder to secure, but none of these services should be running on a firewall. The bottom line is that there are several good commercial firewalls, but that doesn't mean that a Linux box cannot serve as a good, low- end alternative. Especially if cost is one of the main decision factors. -Kent _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Sean, Have you guys compared FreeBSD with Linux for the firewall? Thanks KY ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ken, Thank you very much for the advice. This past Friday, my company has decided to use Linux as our company Firewall. Furthermore, we've decided that this Firewall will be running kernel 2.4.2 with only two services running on it, SSH and netfilter (aka iptables). I've tested kernel 2.4.2 in the lab and notice it performs better than kernel 2.2.x. I've also performed various intrusion detection tests on the box using Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break it. The linux box is rock-solid. I am also running portsentry (IDS) on the Firewall itself. Also, we decide to running our squid proxy server on another linux box to provide transparent caching for our internal users. As far as VPN is concerns, we are going to implement FreeS/WAN on another box. I think in the long run, it is going to save the company a lot of money. We end up not buying the PIX and web-caching engine from Cisco. Oh, the networking guy in our group who recommends Cisco PIX and Cisco web- caching engine as a solution, he has been fired. Go figure. Regards, Sean P.S. Priscilla, why not implementing TRANSPARENT caching by using squid to speed up internet connection for your users? Squid is free and very secure and easy to use. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], "Stuart Brockwell" [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 Date: Sat, 24 Mar 2001 20:02:26 -0800 Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. If the Linux firewall is properly setup, the only services running on it are ipchains and SSH. This means that you have to be aware of 2 services. While there could always be a local exploit, if only trusted admins have access, the trouble with keeping up patches is minimal. It is certainly no more trouble than keeping up with bugs on a vendor platform. Cisco and companies such as Watch Guard closely guard their source code, often you can elect to take on a maintenance contract with the firewall where you recieve all the latest fixes for a 12 month period (this is what we did). As this is their bread and butter, they spend a lot of time looking for holes and fixes to known bugs. While true, this doesn't mean that their code will have fewer bugs or that the bugs will be patched quicker. There is a very large support community for Linux that is very technical. Most bugs are patched in a matter of days, sometimes hours. the main plus for each of the commercial packages is that there is large support base, where as skilled Linux admin staff who can lock down a firewall are very few and far between. This is simply not true. There is a very large community of Linux developers and admins, and most of them are very knowledgable. There are good mailing lists and _plenty_ of good Linux security/firewall books, articles, web sites, etc. available. Locking down a Linux box is not rocket science. That is FUD that is propagated by vendors who want to sell product. It's not hard to configure a Linux box to be secure, the difficulty comes in running lots of services and providing access to users. If you have a box that runs web, ftp, smtp, nfs, etc., then it becomes much harder to secure, but none of these services should be running on a firewall. The bottom line is that there are several good commercial firewalls, but tha
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Priscilla, You can get a PIX 506 for about $1,400 from www.provantage.com. This may still be a little pricey for a school though. I wouldn't worry too much about someone breaking into a properly configured Linux firewall. First, if you have a box acting as a firewall, it shouldn't be running _any_ unecessary services, i.e. DNS, SMTP, FTP, etc. When I configure Unix/Linux to act as a firewall, the only services I leave running is SSH and the firewall software itself. Period. All other services are disabled and removed. There is no good reason to run any other traditional service on the firewall. You can pick up wintel boxes that will run fine for a couple of hundred bucks. If you need additional services they should be run on different boxes, not the firewall. Pick a good password for use with SSH, something with several special characters, or use S/Key and you should be fine. Course, that doesn't mean someone couldn't get _through_ the firewall, only that the firewall itself is secured. Regards, Kent On 23 Mar 2001, at 9:37, Priscilla Oppenheimer wrote: How about if the customer is strapped for money. I work at a school. Luckily our students haven't gotten sophisticated enough to break into the Linux firewall but I don't the think that day is too far away. Some of them are very smart and they are learning Linux and networking in their classes. But PIX is too expensive, I think?? Priscilla At 09:24 AM 3/23/01, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
While I agree that for an enterprise I would choose PIX over Linux for firewall purposes, if your friends configured a Linux firewall and ran other services on it, they may be good Linux admins but they don't know much about security. There is _no_ good reason to run unnecessary services on a firewall. Period. Wintel hardware is too inexpensive to use any argument that a box serving as a firewall needs to run DNS, FTP, SMTP, etc. The only service other than ipchains that a Linux firewall should run is SSH. This gives you all the remote administration of the box you need and makes the box very secure. -Kent On 23 Mar 2001, at 9:24, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Sean, Comments imbedded: On 23 Mar 2001, at 16:12, Stuart Brockwell wrote: Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. It also means that there are a lot of talented people who are looking at the code to make sure that any holes are patched. In fact, when new exploits are found, Linux is usually the fastest platform to have a patch available. Compare this to having to wait weeks for vendor patches or having to prove to a vendor that a problem exists. Also, a service can only be exploited if it is running. A properly configured firewall doesn't run unecessary services, this makes it very difficult to exploit. Essentially, it would come down to trying to DoS it or running a password guessing program against it to get remote access. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. If the Linux firewall is properly setup, the only services running on it are ipchains and SSH. This means that you have to be aware of 2 services. While there could always be a local exploit, if only trusted admins have access, the trouble with keeping up patches is minimal. It is certainly no more trouble than keeping up with bugs on a vendor platform. Cisco and companies such as Watch Guard closely guard their source code, often you can elect to take on a maintenance contract with the firewall where you recieve all the latest fixes for a 12 month period (this is what we did). As this is their bread and butter, they spend a lot of time looking for holes and fixes to known bugs. While true, this doesn't mean that their code will have fewer bugs or that the bugs will be patched quicker. There is a very large support community for Linux that is very technical. Most bugs are patched in a matter of days, sometimes hours. the main plus for each of the commercial packages is that there is large support base, where as skilled Linux admin staff who can lock down a firewall are very few and far between. This is simply not true. There is a very large community of Linux developers and admins, and most of them are very knowledgable. There are good mailing lists and _plenty_ of good Linux security/firewall books, articles, web sites, etc. available. Locking down a Linux box is not rocket science. That is FUD that is propagated by vendors who want to sell product. It's not hard to configure a Linux box to be secure, the difficulty comes in running lots of services and providing access to users. If you have a box that runs web, ftp, smtp, nfs, etc., then it becomes much harder to secure, but none of these services should be running on a firewall. The bottom line is that there are several good commercial firewalls, but that doesn't mean that a Linux box cannot serve as a good, low- end alternative. Especially if cost is one of the main decision factors. -Kent _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Thanks for the advice, Kent. I think we are doing exactly what you say, though I'll check. The administrator bought an inexpensive Wintel box and I believe he is running just the Linux firewall on it and no other services. Performance has been surprisingly good, especially considering that about 700 users access the Web consistently. We no longer use a proxy, so all the traffic really does go out to the Web. Mostly it's traffic to simple Web pages such as www.blackboard.com, but the students also download videos, games, etc., even if we tell them not to, of course. (We block Napster. ;-) Priscilla At 08:02 PM 3/24/01, you wrote: Priscilla, You can get a PIX 506 for about $1,400 from www.provantage.com. This may still be a little pricey for a school though. I wouldn't worry too much about someone breaking into a properly configured Linux firewall. First, if you have a box acting as a firewall, it shouldn't be running _any_ unecessary services, i.e. DNS, SMTP, FTP, etc. When I configure Unix/Linux to act as a firewall, the only services I leave running is SSH and the firewall software itself. Period. All other services are disabled and removed. There is no good reason to run any other traditional service on the firewall. You can pick up wintel boxes that will run fine for a couple of hundred bucks. If you need additional services they should be run on different boxes, not the firewall. Pick a good password for use with SSH, something with several special characters, or use S/Key and you should be fine. Course, that doesn't mean someone couldn't get _through_ the firewall, only that the firewall itself is secured. Regards, Kent On 23 Mar 2001, at 9:37, Priscilla Oppenheimer wrote: How about if the customer is strapped for money. I work at a school. Luckily our students haven't gotten sophisticated enough to break into the Linux firewall but I don't the think that day is too far away. Some of them are very smart and they are learning Linux and networking in their classes. But PIX is too expensive, I think?? Priscilla At 09:24 AM 3/23/01, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks.
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
How about if the customer is strapped for money. I work at a school. Luckily our students haven't gotten sophisticated enough to break into the Linux firewall but I don't the think that day is too far away. Some of them are very smart and they are learning Linux and networking in their classes. But PIX is too expensive, I think?? Priscilla At 09:24 AM 3/23/01, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Performance Comparision between Linux OS Firewall and Cisco PIX 525
On the performance front, a Pix 525 will sustain just under 400MB of throughput, most if any Linux based firewalls will not touch that... On the Price front, correct, the Pix 525 is a fairly expensive unit, but you are able to drop to a 515 which will support 172 MB sustained throughput and 6 interfaces if you purchase the un-restricted version. The 515 restricted version comes in at about $5300 with three interfaces and will still support the same throughput numbers and 65K sessions. Chris Lemagie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Friday, March 23, 2001 9:38 AM To: [EMAIL PROTECTED] Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 How about if the customer is strapped for money. I work at a school. Luckily our students haven't gotten sophisticated enough to break into the Linux firewall but I don't the think that day is too far away. Some of them are very smart and they are learning Linux and networking in their classes. But PIX is too expensive, I think?? Priscilla At 09:24 AM 3/23/01, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
It was assumed that the question was a result of an implementation in an enterpise system. Of course in a school or a small comapny where uptime does not = $ there is no issue, use Linux, use MS Proxy for all that matters. But in an enterprise where uptime is Essentail, there is money at stake and information has lots of value, I would sleep easier at night knowing that I have an enterprise level platform with a solid proven track record, backed by a company who is focused on producing and supporting systems to enable me to focus on doing what I'm good at... Moe. --- Priscilla Oppenheimer [EMAIL PROTECTED] wrote: How about if the customer is strapped for money. I work at a school. Luckily our students haven't gotten sophisticated enough to break into the Linux firewall but I don't the think that day is too far away. Some of them are very smart and they are learning Linux and networking in their classes. But PIX is too expensive, I think?? Priscilla At 09:24 AM 3/23/01, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = _ Moe Tavakoli __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info:
Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525
Hi Sean, I am a Linux head my self, and one of our firewalls is in fact running on a Linux box. The only problem with this type of firewall is that you inherit all of the known bugs that the software has. Given that the source code to Linux is widely available, you have a lot of very talented people out there who know these holes and are able to exploit them very easily. If you are really keen on a Linux firewall, I would suggest you look at some of the firewalls running on a cut down version of Linux. One such firewall is Watch Guard, (there are many around). We also use one of these in our office. The plus to one of these firewalls is that these guys do it for a living. If you maintain your own Linux firewall, you will need to continuously look for the latest bug fixes to install on your Linux box to address the latest round of holes that have been released. Cisco and companies such as Watch Guard closely guard their source code, often you can elect to take on a maintenance contract with the firewall where you recieve all the latest fixes for a 12 month period (this is what we did). As this is their bread and butter, they spend a lot of time looking for holes and fixes to known bugs. We do not use a PIX firewall, but we have used Novel Boarder manager, Watch Guard, Linux and one of the Nokia firewalls (I do not know which). All have their good and bad points, the main plus for each of the commercial packages is that there is large support base, where as skilled Linux admin staff who can lock down a firewall are very few and far between. Good luck with your firewall, hope this is of some assistance. Stuart Brockwell Engineer - Network Planning Primus Telecom (Aust) MCSE, CCNA, CCDA ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
