[lug] Firewall != Linux, Was -> Broadband

Chris M chrism at peakpeak.com
Tue Aug 1 17:16:14 MDT 2000

> From: Wayde Allen <wallen at boulder.nist.gov>
> On Tue, 1 Aug 2000, Chris M wrote:
>>> And why was that so? Because of a glitch/bug in the Linux code?
>> A security hole.  wu-ftpd, sendmail, etc.  A modem connected to the computer
>> in one case. Or a simple DoS, any number of things.  I mean the sky is truly
>> the limit with so many knobs to turn and lock down.
>> If Linux worked great as a firewall
>> and I was sure I wouldn't get calls in the middle of the night, I'd install
>> them.
>> So let's admit Linux isn't as good as a commercial firewall then, because
>> the incidence of trouble (where trouble == firewall compromise) is far lower
>> for commercial products since they do eliminate a large component of
>> failure: human judgment and training.
> OK, I think I've pulled out the important parts of your position.  Namely,
> Linux has too many options so that the configuration isn't exactly
> trivial.  If I've missed something let me know.
> - Wayde

Missed a lot.

- more expensive than commercial solutions (not just initially but TOC)
- limited commercial penetration
- limited scalability
- who regression tested your firewall's software for you?

We can go on and on here. There is nothing "trivial" about a PIX or the
Firewall Feature Set though.  There are firewalls that are brainless to
install.  Linux isn't one of them.

This is part of a wider theme emerging on the list recently.

If you think your oven is the same as a toaster, then you aren't going to
buy the whole market for dedicated appliances, and:

- You're going to think Squid is better-performing and more feature-rich
than a cache appliance (proven false)
- You're going to think a Linux NFS server is better-performing and more
feature-rich than a NAS appliance (proven false, if you've played with
LADDIS and a NetApp)

This is really just the same variation on a theme, if you think Linux is a
great firewall platform, then you just haven't played with many of the
commercial firewall appliance units out there today.

This doesn't mean Linux can't be a firewall, it just isn't a good one
compared with the modern alternatives.  This has really come out a lot in
the last 2 years.


More information about the LUG mailing list