Router/Firewall Recommendation

Rodolfo J. Paiz rpaiz at simpaticus.com
Thu Jun 24 05:52:49 UTC 2004 

At 04:30 PM 6/22/2004, Mark Dadgar wrote:
>On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote:
>>I would put all my computers behind the linksys router and forget it.
>
>I agree.  You've got a purpose-built appliance device instead of a 
>general-use OS with all of it's myriad exploits.

Both of you have made reasonable choices. However, it is a mistake to 
believe that those are *always* the correct choices, or that they are so 
for all users.

Example: I have a "purpose-built appliance device" as a firewall. It works 
as seamlessly and effortlessly as my toaster, never needs any attention, 
and works like a charm. It's of course an old Dell P/166 with 64MB of RAM 
and a 2GB hard drive on a UPS. Please note some of the characteristics:

         1. It has *very* few packages installed from Fedora Core 1 and 
only 390MB used on disk. No "myriad exploits" here. If it's not installed, 
it can't be hacked.

         2. It allows *one* thing in from the Big Bad Outside: SSH, with 
keys and no passwords. All other ports are blocked by iptables.

         3. Its few services are specifically configured not to listen to 
outside ports. Harder to hack.

         4. It is intelligent enough to detect a port scan or a probe to 
certain hostile ports and will unceremoniously black-hole an attacker into 
-j DROP for 3 days at the very first ping.

         5. It routes, masquerades, and firewalls for my network.

         6. It serves DHCP, internal DNS, and NTP to my internal network.

         7. It cost me $0 since I got a few old computers donated to me.

         8. It can use *any* reasonable method for outgoing connections. 
Dialup, ISDN, Ethernet, cable, wireless, satellite... whatever can be 
configured in a PC, I can make work.

         9. MRTG allows me to check bandwidth used precisely, in any way 
*I* choose, and monitor it dynamically. Helps when using burstable 
connections and arguing your bill. Saved me over $750 already by helping me 
win arguments.

         9. I can replace it in 1 hour flat at any time of day or night, 
any place, by merely running the install again on *any other available 
computer* and copying over my configuration files from the backup disk.

         10. I feel safer and more secure knowing that the code that 
protects me is (a) publicly and thoroughly scrutinized, (b) actually used 
in many hardware firewalls <grin>, (c) going to continue being supported 
and improved over time, and (d) customizable to the N-th degree.

         11. The *very same configuration* was used to set up my office 
building's firewall (with four internal networks and five Ethernet 
adapters), for the modest cost of $30 (we used an older and very reliable 
server with lots of PCI slots). Saves us easily $900 PER MONTH.

I'd be happy to go on, but that's enough for now:

Did I have to learn more? Yes. Are there more moving parts, more points of 
failure, and more power consumption? Yes. Does it take up more space? Yes. 
Even with 300-to-400 days of uptime on average, will I reboot, update, 
upgrade, or otherwise maintain it more frequently? Yes. On the other hand...

Do I feel more secure? Hell yes. Does it provide more services? Yes. Does 
it do *exactly* what I want in each case, adapted to the individual 
circumstances? Yes. Is it more easily replaceable for me? Yes. Does it cost 
less? Yes! (Can't beat $0.) So do I prefer building a firewall with Linux? 
Hell yes!

So why do I teach some people to build a Linux box (or hire me to do so for 
them), and why do I tell others to buy Netgear or Linksys boxen? Why is it 
that (in that office firewall) one network is directly connected to this 
firewall, two are behind *another* Linux box each doing 
firewall/masquerading/samba/etc for them, and the last is behind a little 
blue box?

Why indeed? Because THERE IS NO RIGHT ANSWER FOR EVERYONE. Let's help each 
person find what's best for them.

Cheers,

>Just run the hardware firewall and forget about it.
>
>- Mark

And please, for the love of God, whatever you do, *don't* think of security 
as a "just forget about it" issue.


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com

More information about the redhat-list mailing list