[Malvern] Pc vs Routers
Richard Forster
rick at forster.uklinux.net
Tue Oct 31 20:55:44 GMT 2006
Yo
Much of what Stuart wrote I agree with, but let me add
Cost. A 2nd hand PC is often free, you might have to pay for a second
(or third) network card but it will still be cheap compared to a
dedicated hardware solution. For example, the cheapest firewall on Dabs
is about £50, the second cheapest is over £100. You can certainly get a
PC cheaper than that.
Familiarity/Ease of use. A Linux based PC firewall is just that; a Linux
PC. You know and understand it so you can fix it if it breaks. Where fix
might be pronounced ree-in-stall.
I would disagree with the reliability argument that Stuart made. The
fewer moving parts the better for reliability. Something with no moving
parts will also be silent and likely use less power, which may or may
not be important to you.
At the high end, closed/open source is much less of an issue when you
use formally evaluated products. This is because the source was open to
the evaluation company whose business it is to do security analysis of
source code. But read the small print. For example Windows NT something
had quite a high EAL rating but this was with various lockdown
configuration changes made and all network cards removed. Not a lot of
help for a server. Didn't dent the marketing for it though.
The "little known firewall project" will not have the same number of
eyes on the code but will not be reinventing a more secure wheel either.
They will just use a *nix OS that they suitably configure, perhaps the
selling point is the ease of use of the configuration tools that they
write to help you set up your pc firewall. So in the end it may well be
running the same kernel as your desktop machine, or at least similar
enough to suffer from the same bugs.
To me this is one of the most important points. I very specifically
chose to use a non Linux OS in my firewall to give defence in depth.
Afterall, if you have a firewall for security it is a bit daft to have
it (potentially) vulnerable to the same bugs as the desktop machine you
are trying to protect. Insert line of dominoes analogy.
A point against hardware firewalls (especially the little ones) is the
ease of patching and support lifetime. I know that while I can
theoretically upgrade the firmware of my ADSL router it no longer exists
as far as D-Link are concerned. So I'm stuck with the firmware I've got.
A Linux based PC will always be upgradeable to a patched version. Of
course the more business orientated manufacturers will provide better
support for longer. I have dealt with Secure Computing who make the
Sidewinder series of firewalls and their support service is perfect. A
24/7 number that gets you through to an engineer straight away who stays
with you until your problem is solved.
But of course you pay for it.
At the moment I'm most intrigued by layer 2 firewalls. These things
don't have IP addresses, they essentially appear to be a piece of
Ethernet cable as far as the network is concerned. An Ethernet cable
that can reliably become unreliable, if you see what I mean.
I'll be at a concert next Tuesday so you'll all have to wirelessly
apt-get without me.
Cheers
Rick
(A little more inline below)
Stuart Parkington wrote:
> Hi Ian,
>
> What a simple and interesting question! :) Hope I manage an interesting
> answer, even if I suspect it won't be a simple one. I've had to spend a
> while thinking about exactly why I have implemented the solution I have
> and this is the answer I came up with.
>
> For myself, the short answer is freedom. As a free software and open
> source advocate I want the ability to with the software of my firewall
> as I wish. I want the ability to discuss with the developers aspects of
> software as and when I want. I wish to be able to change the software,
> either piecemeal (single line/function) or wholesale (the whole lot to a
> different project). All the normal reason to support and use open/free
> software. Dedicated hardware routers, with the only exception I know of
> being the OpenWRT project (http://openwrt.org/), rely on proprietor
> operating systems. Also it should be understood that I (think) I have a
> firewall that provides routing and NAT functionality, not a router with
> a firewall bolted on.
>
> I then started to wonder why the people you have surveyed would suggest
> a dedicated box so consistently. Any actual router/firewall consists of
> the same components as a PC based one. A system board, volatile memory,
> long term storage and interface adapters. The only difference real
> difference I can see is that dedicated hardware will most probably be an
> embedded device with all components surface mounted on the system board.
> If one components fails, they all do. Also, in embedded devices,
> interface adapters tend to share the same IO components so aren't
> actually physically separated (especially in small SOHO-consumer items).
> My PC based firewall has three separate NICs, providing a degree of
> physical separation. Each NIC has only a single IP address bound to it.
>
> So I wondered if there was a performance improvement by using a
> dedicated device. I don't have any definitive proof but would suspect
> there probably is a small performance advantage in having a dedicated
> device, sharing a common bus, etc. However, for a small home-office,
> with 1MB ADSL line and two users I don't think the 100MB NIC and PII
> based firewall will be much of a bottle neck! :) For an enterprise
> implementation, with multiple users/large Internet pipe it might become so.
There will be an improvement for VPNs with hardware solutions because
there will be dedicated chips to do the crypto work. Again, probably
doesn't apply unless you have very fast broadband :-)
>
> Next I thought about the OS. Without bringing in the Open/Proprietary
> software debate back up, there is the question of whether 'security
> through obscurity' adds or detracts for the overall security picture.
> What I'm getting at is a Cisco based firewall will get attacked often
> from people who have a grudge against Cisco, just as many virus writers
Cisco routers have traditionally had more exploits than their firewalls
and run a totally different OS. While firewalls can do routing and
routers firewalling they are different beasts.
> attack MS for similar reasons. Also as Cisco is quite pervasive the
> number of potential targets is much greater for malicious hacker than an
> little known firewall project, again in line with virus attacks against
> the dominant Windows install base. (BTW, am using Cisco as an example -
> I have nothing against Cisco per say!). So maybe obscurity assists
> security.
>
> The opposite view to this is that bugs and security holes in the CiscoOS
Called IOS (Internetworking Operating System) for the routers and PIXOS
(or Finesse) for the firewalls.
http://en.wikipedia.org/wiki/Cisco_IOS
http://en.wikipedia.org/wiki/Cisco_PIX
> don't' get picked up as quick as open source code, because it is closed
> and can not thus be audited or verified. The logic also tends to go that
> fixes in closed source systems often take longer to propagate out to the
> end user community, leaving the exploit visible for longer. So maybe
> obscurity detracts from security? Interesting debate.
>
> Is there a performance benefit between various OS's used (CiscoOS, Other
> Proprietary OS's, Linux, OpenBSD, etc.)? I don't know but again think it
> will be negligible for SOHO use. Often security bods tell you that *BSD
> is a better OS for a firewall than Linux because the security modules
I know of at least a couple of high end firewall products with an OS
based on *BSD. In the same way cheese is based on cows.
> are better written. Personally I wouldn't know but judge that the level
> of risk I'm putting myself under, as a home user, can cope with using
> Linux! How secure is CiscoOS/other proprietary systems in comparison?
> Don't know sorry!
>
> The only thing left I concluded was support. Enterprises often rely on
> arguments akin to the old saying "no one ever got fired for buying IBM"
> to justify why they go for one solution over another. If you compare a
> Cisco firewall to a Nokia FW1 to a Smoothwall Corporate the Cisco or FW1
> will (I suspect) get the most corporate 'votes' because of support
> arguments. That and IT management covering themselves by .buying safe'.
> (BTW, as a corporate IT bod myself can understand that argument - I
> nearly always by HP servers! lol). Whether the support from said vendors
> is any better or worse than from a smaller vendor is a debate for
> another day.
>
> So as I suspected NOT a simple answer, to a simple question, but I have
> tried to answer both thoughtfully and honestly in presenting it.
>
> Look forward to the real life debate next week! :)
>
> Regards
> Stuart
>
> P.S. Just thought of something - as a geek I also wanted something I
> could 'play with'!!
>
More information about the Malvern
mailing list