Router/Firewall Recommendation

Thu Jun 24 06:17:43 UTC 2004


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Rodolfo J. Paiz
> Sent: Thursday, June 24, 2004 12:53 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Router/Firewall Recommendation
> 
> At 04:30 PM 6/22/2004, Mark Dadgar wrote:
> >On Jun 22, 2004, at 11:48 AM, Otto Haliburton wrote:
> >>I would put all my computers behind the linksys router and forget it.
> >
> >I agree.  You've got a purpose-built appliance device instead of a
> >general-use OS with all of it's myriad exploits.
> 
> Both of you have made reasonable choices. However, it is a mistake to
> believe that those are *always* the correct choices, or that they are so
> for all users.
> 
> Example: I have a "purpose-built appliance device" as a firewall. It works
> as seamlessly and effortlessly as my toaster, never needs any attention,
> and works like a charm. It's of course an old Dell P/166 with 64MB of RAM
> and a 2GB hard drive on a UPS. Please note some of the characteristics:
> 
>          1. It has *very* few packages installed from Fedora Core 1 and
> only 390MB used on disk. No "myriad exploits" here. If it's not installed,
> it can't be hacked.
> 
>          2. It allows *one* thing in from the Big Bad Outside: SSH, with
> keys and no passwords. All other ports are blocked by iptables.
> 
>          3. Its few services are specifically configured not to listen to
> outside ports. Harder to hack.
> 
>          4. It is intelligent enough to detect a port scan or a probe to
> certain hostile ports and will unceremoniously black-hole an attacker into
> -j DROP for 3 days at the very first ping.
> 
>          5. It routes, masquerades, and firewalls for my network.
> 
>          6. It serves DHCP, internal DNS, and NTP to my internal network.
> 
>          7. It cost me $0 since I got a few old computers donated to me.
> 
>          8. It can use *any* reasonable method for outgoing connections.
> Dialup, ISDN, Ethernet, cable, wireless, satellite... whatever can be
> configured in a PC, I can make work.
> 
>          9. MRTG allows me to check bandwidth used precisely, in any way
> *I* choose, and monitor it dynamically. Helps when using burstable
> connections and arguing your bill. Saved me over $750 already by helping
> me
> win arguments.
> 
>          9. I can replace it in 1 hour flat at any time of day or night,
> any place, by merely running the install again on *any other available
> computer* and copying over my configuration files from the backup disk.
> 
>          10. I feel safer and more secure knowing that the code that
> protects me is (a) publicly and thoroughly scrutinized, (b) actually used
> in many hardware firewalls <grin>, (c) going to continue being supported
> and improved over time, and (d) customizable to the N-th degree.
> 
>          11. The *very same configuration* was used to set up my office
> building's firewall (with four internal networks and five Ethernet
> adapters), for the modest cost of $30 (we used an older and very reliable
> server with lots of PCI slots). Saves us easily $900 PER MONTH.
> 
> I'd be happy to go on, but that's enough for now:
> 
> Did I have to learn more? Yes. Are there more moving parts, more points of
> failure, and more power consumption? Yes. Does it take up more space? Yes.
> Even with 300-to-400 days of uptime on average, will I reboot, update,
> upgrade, or otherwise maintain it more frequently? Yes. On the other
> hand...
> 
> Do I feel more secure? Hell yes. Does it provide more services? Yes. Does
> it do *exactly* what I want in each case, adapted to the individual
> circumstances? Yes. Is it more easily replaceable for me? Yes. Does it
> cost
> less? Yes! (Can't beat $0.) So do I prefer building a firewall with Linux?
> Hell yes!
> 
> So why do I teach some people to build a Linux box (or hire me to do so
> for
> them), and why do I tell others to buy Netgear or Linksys boxen? Why is it
> that (in that office firewall) one network is directly connected to this
> firewall, two are behind *another* Linux box each doing
> firewall/masquerading/samba/etc for them, and the last is behind a little
> blue box?
> 
> Why indeed? Because THERE IS NO RIGHT ANSWER FOR EVERYONE. Let's help each
> person find what's best for them.
> 
> Cheers,
> 
> >Just run the hardware firewall and forget about it.
> >
> >- Mark
> 
> And please, for the love of God, whatever you do, *don't* think of
> security
> as a "just forget about it" issue.
> 
> 
glad you have the time and energy to do what you do and it works for you.
With all the maintenance and stuff, I am glad you have the time to do it and
I can tell you are deep into it.  For $40 dollars, I can put my computers
behind a firewall and forget about it cause it ain't going to be hacked by
anybody and it has good performance and reliability.  So if you got the time
and stuff, that is good for you.  Are you more secure no. I mean large
corporations would have a perfect solution with your hook up but they are
very vulnerable with this setup.  Routers have their problems and in to
enable certain features you can open up, but for all practical purposes
individuals don't need to do that.  So for the cost factor you can't beat
the hardware router.  Cheers!!