Router/Firewall Recommendation
Rodolfo J. Paiz
rpaiz at simpaticus.com
Thu Jun 24 05:52:49 UTC 2004
At 04:30 PM 6/22/2004, Mark Dadgar wrote:
>On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote:
>>I would put all my computers behind the linksys router and forget it.
>
>I agree. You've got a purpose-built appliance device instead of a
>general-use OS with all of it's myriad exploits.
Both of you have made reasonable choices. However, it is a mistake to
believe that those are *always* the correct choices, or that they are so
for all users.
Example: I have a "purpose-built appliance device" as a firewall. It works
as seamlessly and effortlessly as my toaster, never needs any attention,
and works like a charm. It's of course an old Dell P/166 with 64MB of RAM
and a 2GB hard drive on a UPS. Please note some of the characteristics:
1. It has *very* few packages installed from Fedora Core 1 and
only 390MB used on disk. No "myriad exploits" here. If it's not installed,
it can't be hacked.
2. It allows *one* thing in from the Big Bad Outside: SSH, with
keys and no passwords. All other ports are blocked by iptables.
3. Its few services are specifically configured not to listen to
outside ports. Harder to hack.
4. It is intelligent enough to detect a port scan or a probe to
certain hostile ports and will unceremoniously black-hole an attacker into
-j DROP for 3 days at the very first ping.
5. It routes, masquerades, and firewalls for my network.
6. It serves DHCP, internal DNS, and NTP to my internal network.
7. It cost me $0 since I got a few old computers donated to me.
8. It can use *any* reasonable method for outgoing connections.
Dialup, ISDN, Ethernet, cable, wireless, satellite... whatever can be
configured in a PC, I can make work.
9. MRTG allows me to check bandwidth used precisely, in any way
*I* choose, and monitor it dynamically. Helps when using burstable
connections and arguing your bill. Saved me over $750 already by helping me
win arguments.
9. I can replace it in 1 hour flat at any time of day or night,
any place, by merely running the install again on *any other available
computer* and copying over my configuration files from the backup disk.
10. I feel safer and more secure knowing that the code that
protects me is (a) publicly and thoroughly scrutinized, (b) actually used
in many hardware firewalls <grin>, (c) going to continue being supported
and improved over time, and (d) customizable to the N-th degree.
11. The *very same configuration* was used to set up my office
building's firewall (with four internal networks and five Ethernet
adapters), for the modest cost of $30 (we used an older and very reliable
server with lots of PCI slots). Saves us easily $900 PER MONTH.
I'd be happy to go on, but that's enough for now:
Did I have to learn more? Yes. Are there more moving parts, more points of
failure, and more power consumption? Yes. Does it take up more space? Yes.
Even with 300-to-400 days of uptime on average, will I reboot, update,
upgrade, or otherwise maintain it more frequently? Yes. On the other hand...
Do I feel more secure? Hell yes. Does it provide more services? Yes. Does
it do *exactly* what I want in each case, adapted to the individual
circumstances? Yes. Is it more easily replaceable for me? Yes. Does it cost
less? Yes! (Can't beat $0.) So do I prefer building a firewall with Linux?
Hell yes!
So why do I teach some people to build a Linux box (or hire me to do so for
them), and why do I tell others to buy Netgear or Linksys boxen? Why is it
that (in that office firewall) one network is directly connected to this
firewall, two are behind *another* Linux box each doing
firewall/masquerading/samba/etc for them, and the last is behind a little
blue box?
Why indeed? Because THERE IS NO RIGHT ANSWER FOR EVERYONE. Let's help each
person find what's best for them.
Cheers,
>Just run the hardware firewall and forget about it.
>
>- Mark
And please, for the love of God, whatever you do, *don't* think of security
as a "just forget about it" issue.
--
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com
More information about the redhat-list
mailing list