FW: [Malvern] Pc vs Routers

Ian Pascoe ianpascoe at btinternet.com
Wed Nov 1 18:17:32 GMT 2006 

Stuart

Some nice points.

Building on what you said, my experience of CISCO kit, albeit 4 years old
now, was that the propriatory OS was flash EPROM which could only be updated
by  physical removal and flashing on an external device.  However, if you
look at stuff like 3com (are they still around?) that was a physical chip
change.  Nortel on the other hand is as near to a PC as makes no
difference - just different casing.  What I'm driving at here is that under
the hood it all does the same job, but maybe with different feature sets and
increased / decreased compatability and security problems.

Yes and I understand what you mean by enterprise solutions - when you start
involving things like Radia server router combies it has got to be dedicated
to match the bandwidth of incoming data and required throughput.

Putting all this aside, there is one other point which I think goes towards
the router camp, and that is one of familiarity with the concept of using a
PC - I have a couple of colleagues in my team who are a bit computerish and
have set up home networks all over the house, but they were astounded at the
concept of relying on a PC to provide the functionality.  I think the
problem here is that both are MS orientated and the concept of one box fits
all of this world doesn't equate to the Linux one of a distro for a specific
functionality.

A further couple of questions for you to ponder and bring answers to next
weeks class (!):

- what are, and what do DMZs do
- NICs (network interface cards?)
- why don't LANs running at Gb cause data overruns on PCs?  If memory serves
the data bus to the CPU is running at something like 400 MBs.  I remember
from previous postings that the ethernet card has an amount of cache memory
on it and although a LAN may be rated at Gb it might not actually run at
that speed, I preseume that it is all to do with the amount of boxes
attached to the LAN and getting data to more of them per second than at 10
or 100 base T could.

However, before I go totally ga-ga on networking I'm stopping as I promised
to help lug around a dry ice machine to a mates this eveing to provide
"effect" for anyone trick or treating at his front door tonight.

In all seriousness folks it would be nice if we could get some of you more
learned ones to give a brief overview on networks so that I can stop asking
daft questions about it.

Ian

-----Original Message-----
From: Stuart Parkington [mailto:mrsparks_maillists at yahoo.com]
Sent: 31 October 2006 07:59
To: ianpascoe at btinternet.com
Cc: Malvern at mailman.lug.org.uk
Subject: Re: [Malvern] Pc vs Routers


Hi Ian,

What a simple and interesting question! :) Hope I manage an interesting
answer, even if I suspect it won't be a simple one. I've had to spend a
while thinking about exactly why I have implemented the solution I have
and this is the answer I came up with.

For myself, the short answer is freedom. As a free software and open
source advocate I want the ability to with the software of my firewall
as I wish. I want the ability to discuss with the developers aspects of
software as and when I want. I wish to be able to change the software,
either piecemeal (single line/function) or wholesale (the whole lot to a
different project). All the normal reason to support and use open/free
software. Dedicated hardware routers, with the only exception I know of
being the OpenWRT project (http://openwrt.org/), rely on proprietor
operating systems. Also it should be understood that I (think) I have a
firewall that provides routing and NAT functionality, not a router with
a firewall bolted on.

I then started to wonder why the people you have surveyed would suggest
a dedicated box so consistently. Any actual router/firewall consists of
the same components as a PC based one. A system board, volatile memory,
long term storage and interface adapters. The only difference real
difference I can see is that dedicated hardware will most probably be an
embedded device with all components surface mounted on the system board.
If one components fails, they all do. Also, in embedded devices,
interface adapters tend to share the same IO components so aren't
actually physically separated (especially in small SOHO-consumer items).
My PC based firewall has three separate NICs, providing a degree of
physical separation. Each NIC has only a single IP address bound to it.

So I wondered if there was a performance improvement by using a
dedicated device. I don't have any definitive proof but would suspect
there probably is a small performance advantage in having a dedicated
device, sharing a common bus, etc. However, for a small home-office,
with 1MB ADSL line and two users I don't think the 100MB NIC and PII
based firewall will be much of a bottle neck! :) For an enterprise
implementation, with multiple users/large Internet pipe it might become so.

Next I thought about the OS. Without bringing in the Open/Proprietary
software debate back up, there is the question of whether 'security
through obscurity' adds or detracts for the overall security picture.
What I'm getting at is a Cisco based firewall will get attacked often
from people who have a grudge against Cisco, just as many virus writers
attack MS for similar reasons. Also as Cisco is quite pervasive the
number of potential targets is much greater for malicious hacker than an
little known firewall project, again in line with virus attacks against
the dominant Windows install base. (BTW, am using Cisco as an example -
I have nothing against Cisco per say!). So maybe obscurity assists
security.

The opposite view to this is that bugs and security holes in the CiscoOS
don't' get picked up as quick as open source code, because it is closed
and can not thus be audited or verified. The logic also tends to go that
fixes in closed source systems often take longer to propagate out to the
end user community, leaving the exploit visible for longer. So maybe
obscurity detracts from security? Interesting debate.

Is there a performance benefit between various OS's used (CiscoOS, Other
Proprietary OS's, Linux, OpenBSD, etc.)? I don't know but again think it
will be negligible for SOHO use. Often security bods tell you that *BSD
is a better OS for a firewall than Linux because the security modules
are better written. Personally I wouldn't know but judge that the level
of risk I'm putting myself under, as a home user, can cope with using
Linux! How secure is CiscoOS/other proprietary systems in comparison?
Don't know sorry!

The only thing left I concluded was support. Enterprises often rely on
arguments akin to the old saying "no one ever got fired for buying IBM"
   to justify why they go for one solution over another. If you compare
a Cisco firewall to a Nokia FW1 to a Smoothwall Corporate the Cisco or
FW1 will (I suspect) get the most corporate 'votes' because of support
arguments. That and IT management covering themselves by .buying safe'.
(BTW, as a corporate IT bod myself can understand that argument - I
nearly always by HP servers! lol). Whether the support from said vendors
is any better or worse than from a smaller vendor is a debate for
another day.

So as I suspected NOT a simple answer, to a simple question, but I have
tried to answer both thoughtfully and honestly in presenting it.

Look forward to the real life debate next week! :)

Regards
Stuart

P.S. Just thought of something - as a geek I also wanted something I
could 'play with'!!

--
---------------------------
Linux #423936  Ubuntu #4500
---------------------------
      'Narrf' on IRC
---------------------------

More information about the Malvern mailing list