[Malvern] Pc vs Routers

Stuart Parkington mrsparks_maillists at yahoo.com
Tue Oct 31 08:27:03 GMT 2006 

Hi Ian,

What a simple and interesting question! :) Hope I manage an interesting 
answer, even if I suspect it won't be a simple one. I've had to spend a 
while thinking about exactly why I have implemented the solution I have 
and this is the answer I came up with.

For myself, the short answer is freedom. As a free software and open 
source advocate I want the ability to with the software of my firewall 
as I wish. I want the ability to discuss with the developers aspects of 
software as and when I want. I wish to be able to change the software, 
either piecemeal (single line/function) or wholesale (the whole lot to a 
different project). All the normal reason to support and use open/free 
software. Dedicated hardware routers, with the only exception I know of 
being the OpenWRT project (http://openwrt.org/), rely on proprietor 
operating systems. Also it should be understood that I (think) I have a 
firewall that provides routing and NAT functionality, not a router with 
a firewall bolted on.

I then started to wonder why the people you have surveyed would suggest 
a dedicated box so consistently. Any actual router/firewall consists of 
the same components as a PC based one. A system board, volatile memory, 
long term storage and interface adapters. The only difference real 
difference I can see is that dedicated hardware will most probably be an 
embedded device with all components surface mounted on the system board. 
If one components fails, they all do. Also, in embedded devices, 
interface adapters tend to share the same IO components so aren't 
actually physically separated (especially in small SOHO-consumer items). 
My PC based firewall has three separate NICs, providing a degree of 
physical separation. Each NIC has only a single IP address bound to it.

So I wondered if there was a performance improvement by using a 
dedicated device. I don't have any definitive proof but would suspect 
there probably is a small performance advantage in having a dedicated 
device, sharing a common bus, etc. However, for a small home-office, 
with 1MB ADSL line and two users I don't think the 100MB NIC and PII 
based firewall will be much of a bottle neck! :) For an enterprise 
implementation, with multiple users/large Internet pipe it might become so.

Next I thought about the OS. Without bringing in the Open/Proprietary 
software debate back up, there is the question of whether 'security 
through obscurity' adds or detracts for the overall security picture. 
What I'm getting at is a Cisco based firewall will get attacked often 
from people who have a grudge against Cisco, just as many virus writers 
attack MS for similar reasons. Also as Cisco is quite pervasive the 
number of potential targets is much greater for malicious hacker than an 
little known firewall project, again in line with virus attacks against 
the dominant Windows install base. (BTW, am using Cisco as an example - 
I have nothing against Cisco per say!). So maybe obscurity assists 
security.

The opposite view to this is that bugs and security holes in the CiscoOS 
don't' get picked up as quick as open source code, because it is closed 
and can not thus be audited or verified. The logic also tends to go that 
fixes in closed source systems often take longer to propagate out to the 
end user community, leaving the exploit visible for longer. So maybe 
obscurity detracts from security? Interesting debate.

Is there a performance benefit between various OS's used (CiscoOS, Other 
Proprietary OS's, Linux, OpenBSD, etc.)? I don't know but again think it 
will be negligible for SOHO use. Often security bods tell you that *BSD 
is a better OS for a firewall than Linux because the security modules 
are better written. Personally I wouldn't know but judge that the level 
of risk I'm putting myself under, as a home user, can cope with using 
Linux! How secure is CiscoOS/other proprietary systems in comparison? 
Don't know sorry!

The only thing left I concluded was support. Enterprises often rely on 
arguments akin to the old saying "no one ever got fired for buying IBM" 
   to justify why they go for one solution over another. If you compare 
a Cisco firewall to a Nokia FW1 to a Smoothwall Corporate the Cisco or 
FW1 will (I suspect) get the most corporate 'votes' because of support 
arguments. That and IT management covering themselves by .buying safe'. 
(BTW, as a corporate IT bod myself can understand that argument - I 
nearly always by HP servers! lol). Whether the support from said vendors 
is any better or worse than from a smaller vendor is a debate for 
another day.

So as I suspected NOT a simple answer, to a simple question, but I have 
tried to answer both thoughtfully and honestly in presenting it.

Look forward to the real life debate next week! :)

Regards
Stuart

P.S. Just thought of something - as a geek I also wanted something I 
could 'play with'!!

-- 
---------------------------
Linux #423936  Ubuntu #4500
---------------------------
      'Narrf' on IRC
---------------------------

More information about the Malvern mailing list