Dedicated hardware will give you more throughput.
This is quite a broad claim that may have been true a few years ago or for off
the shelf PCs, but today with the availability of 16 lane PCI Express buses and
custom chassis backplanes capable of pushing >80Gbps, I don't believe that this
statement still stands.
To your other point, there are vendors that are developing appliances with
pre-hardened *nix OSs that support both open source and proprietary
firewall/ips/ids/routing solutions. Some even provide cisco-like CLI interfaces
and GUIs with which to tweak the few OS internals that do need configuring
virtually eliminating the need to access a unix prompt and consuming the
knowledge and time resources you fear losing.
The distinction in performance (and maintenance) between "dedicated" hardware
and PC based architecture has definitely blurred in recent years.
Joe Forjette
Security Engineer
Crossbeam Systems
www.crossbeamsystems.com
-----Original Message-----
From: Fredrik Widlund [mailto:fredrik.widlund@qbrick.com]
Sent: Saturday, June 11, 2005 5:48 PM
To: Joseph (Joe) Lynn
Cc: James Riden; firewalls@securityfocus.com
Subject: Re: Open Source vs Proprietary
Dedicated hardware will give you more throughput. This the one reason I
personally would use one. If you're dealing with Gbps throughput (or
many packets) generic hardware won't do the trick. This is regardless if
we're talking about routing, firewalling, or network intrusion detection.
Besides this I feel it boils down to control and resources. If you have
the knowledge and the time, I believe something like OpenBSD/PF would
come out on top. If you lack either, you will end up with something less
secure.
This reflects the whole process of building an infrastructure. An open
source firewall/router will be a more powerful "brick" if you know what
to do with it, and you can create something more secure. If you're less
sure, go with something that's less powerful. At the end of the day,
it's the logic of the infrastructure or weaknesses of other parts of the
network that will break.
Regards,
Fredrik Widlund
Joseph (Joe) Lynn wrote:
I had assumed that x86 boxes are so pervasive that ultimately whatever task
you use them for will in general be more powerful than dedicated hardware, due
to the length of time it takes to design and spec up a hardware appliance.
I forget that not everyone wants to rely on support coming from the internet
community in general, and option of support is probably a big one for
businesses when considering risk management.
And I guess any firewall no matter how intrinsically secure it is will be
useless if it's misconfigured...
Many thanks,
Joe
-----Original Message-----
From: James Riden [mailto:j.riden@massey.ac.nz]
Sent: 10 June 2005 00:24
To: Joseph (Joe) Lynn
Cc: firewalls@securityfocus.com
Subject: Re: Open Source vs Proprietary
"Joseph (Joe) Lynn" <Joe.Lynn@tiniusolsen.co.uk> writes:
Do people just buy firewalls because they canʼt be bothered to learn
to set up Open Source systems, or is there more to this that Iʼm
missing?
Dedicated hardware firewalls may give you better performance than an
x86 box running any flavour OS. Your boss may also feel better about
being able to get support for the latter should you fall under a bus.
Misconfiguration and poor change control is one of the biggest
problems with firewalls, and pf isn't going to be any better than a
proprietary vendor in that regard.
Use whatever's best for you - I'm a happy user of snort and Cisco
firewalls.
cheers,
Jamie
