Linux Based Firewalls

brian lists at karas.net
Fri Nov 14 10:16:11 EST 2003 

On Fri, 2003-11-14 at 09:50, bscott at ntisys.com wrote:
>   For appliances, I like NetScreen.  Outstanding performance and features, a
> nice web UI, plus a CLI available via serial, Telnet, or SSH.
> 

We've shipped a couple of Netscreens to customers, based on their
specific requests.  And, they did appear to be real solid units.

> > But the truth is that for an "enterprise" I want something a little more,
> > with a vendor I can call 24x7 for support ...
> 
>   The company I work for would be happy to provide a 24x7 support contract
> for a Linux-based firewall.

Not to slight you, but I can find many companies that will support other
vendors products, but I want a channel into the actual mfgr.  So, when
we see very "odd" occurrences of problems, that are often due to a
firmware bug, we can get a direct answer.  My concern isn't in making it
work, or handling the general oddities, it's when things go REALLY
wrong.  At 2AM.  On a Saturday. During the holidays... 

> > ... and with a larger installed based.
> 
>   While it's not MS-Windows, there are still an awful lot of Linux systems
> out there.  :-)
> 

I meant linux firewall products in larger-scale deployments.  I've got
no problems at all with linux in general.  I use it daily, run thousands
of large and small sites on linux platforms, and pretty much refuse to
deal with Windows in any fashion.  I *do* however sometimes feel that
maybe people try to shoehorn a linux PC into a place where an embedded
device is a little more appropriate.  

>   The major benefits to appliance firewalls (like NetScreen, SonicWall,
> etc.), as I see them, are: Compact size, low power consumption and heat
> dissipation, and no moving parts.  

This is a very good point, and (IMO) too often overlooked.

> While they often achieve excellent
> performance through the use of ASICs, that comes at a high cost, and the
> price/performance ratio of a fast, general-purpose computer is quite often
> better.

One thing I've learned over the years, is that the higher costs are
usually justified when you're running a lot of billable services off the
platform.  Again, I wouldn't mind it for an office firewall, but not for
a high-end "corporate" firewall.  Much for the same reason I wouldn't
replace my Cisco routers with PC router boxes.  The number of failure
points goes up dramatically when using PC hardware, and when you look at
the costs, a $4,000 savings on something that routes/firewalls/whatevers
hundreds of thousands of dollars worth of annual revenue isn't worth it.

-- 
brian <lists at karas.net>

More information about the gnhlug-discuss mailing list