[fw-wiz] Firewall Throughput

Darren Reed darrenr@reed.wattle.id.au
Tue, 12 Sep 2000 08:15:11 +1100 (EST)


In some email I received from Patrick Darden, sie wrote:
> 
> 
> Darren,
> 
> "Cisco push it along the lines of 'you don't want unix/windows on your
> firewall because they're crashable'"
> 
> I would like to know where they state that.  It would be pretty
> hypocritical as the PIX has a Unix based OS (Plan 9).

http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm
Look for the words "Non-Unix" (strictly speaking, this *is* true even if
it is Plan 9).

They're different, they need a marketting angle, they drive it.

> "You damn well don't want a router as a firewall"
> 
> I don't know of many firewalls that aren't routers as well, that includes
> the IP Filter you seem to like so much and even the BSD-based NOKIA
> running Checkpoint FW1.  Application-layer proxy based firewalls usually
> aren't routers, but otherwise...

Router = thing which tftp's boot images, does BGP4, has no hard disk, etc.
Or to put it more succinctly in this thread, a Cisco 1234 thing.

You don't use unix boxes to do routing when you're serious about routing
and likewise you shouldn't use routers to do firewalling when you're
serious about firewalling.

If I'm really serious about security then I *will* use/recommend a proxy
firewall, even in addition to anything else which is there.  There are
some things they offer which just can't be matched, in terms of security,
by any packet-filtering based firewall.

> "I *refuse* to believe that Linux is a reliable/secure platform"
> 
> No offense, but I have Solaris, BSD, AIX, and Linux running here--and
> all of them are stable and reliable.  I had one hard-used Linux server
> running for almost 2 years before I recently took it down for some
> upgrades.

Do yourself a favour and stay ignorant of the development methodology
that goes on "behind the scenes" with Linux.  What are they now,
2.4.pre34-test83, and still making major architectural changes inside it.
That's *insane*.  Sure, Solaris is stable, but you can't strap it down
as securely as you can BSD, plus you get source code for BSD.

Darren