[lug] Firewall != Linux, Was -> Broadband
chrism at peakpeak.com
Tue Aug 1 17:16:14 MDT 2000
> From: Wayde Allen <wallen at boulder.nist.gov>
> On Tue, 1 Aug 2000, Chris M wrote:
>>> And why was that so? Because of a glitch/bug in the Linux code?
>> A security hole. wu-ftpd, sendmail, etc. A modem connected to the computer
>> in one case. Or a simple DoS, any number of things. I mean the sky is truly
>> the limit with so many knobs to turn and lock down.
>> If Linux worked great as a firewall
>> and I was sure I wouldn't get calls in the middle of the night, I'd install
>> So let's admit Linux isn't as good as a commercial firewall then, because
>> the incidence of trouble (where trouble == firewall compromise) is far lower
>> for commercial products since they do eliminate a large component of
>> failure: human judgment and training.
> OK, I think I've pulled out the important parts of your position. Namely,
> Linux has too many options so that the configuration isn't exactly
> trivial. If I've missed something let me know.
> - Wayde
Missed a lot.
- more expensive than commercial solutions (not just initially but TOC)
- limited commercial penetration
- limited scalability
- who regression tested your firewall's software for you?
We can go on and on here. There is nothing "trivial" about a PIX or the
Firewall Feature Set though. There are firewalls that are brainless to
install. Linux isn't one of them.
This is part of a wider theme emerging on the list recently.
If you think your oven is the same as a toaster, then you aren't going to
buy the whole market for dedicated appliances, and:
- You're going to think Squid is better-performing and more feature-rich
than a cache appliance (proven false)
- You're going to think a Linux NFS server is better-performing and more
feature-rich than a NAS appliance (proven false, if you've played with
LADDIS and a NetApp)
This is really just the same variation on a theme, if you think Linux is a
great firewall platform, then you just haven't played with many of the
commercial firewall appliance units out there today.
This doesn't mean Linux can't be a firewall, it just isn't a good one
compared with the modern alternatives. This has really come out a lot in
the last 2 years.
More information about the LUG