Linux firewall vs appliance
Michael Tewner
tewner at gmail.com
Mon Jan 24 22:25:23 IST 2011
On Mon, Jan 24, 2011 at 10:19 PM, Michael Tewner <tewner at gmail.com> wrote:
> 2011/1/24 Hetz Ben Hamo <hetzbh at gmail.com>
>
>> Hi,
>>
>> I was wondering about the following scenario:
>>
>> I have 2 lines coming from 2 carriers, each line is 2 Gbit internet
>> connection. They go to a router, and then there should be a firewall..
>>
>> Here I have 2 choices:
>>
>> 1. Take a Cisco/Fortigate/Juniper/Whatever box, throw it in, configure it,
>> and be done with it, while I need to pay some yearly license for updates.
>> 2. Stick some serious Linux server that it will become the firewall.
>>
>> My question: based on whats available for Linux today (iptables, APF, BFD,
>> you-name-it..) - could Linux be trusted as a very good firewall for data
>> center (as an example)? (I know that Checkpoint is using Linux, but they
>> wrote some additional closed source modules, and I haven't heard any
>> alternatives of those modules in open source version)
>>
>> I have read articles with people swear that Linux box should suite it
>> while other highly recommended the appliances..
>>
>> Whats your opinion?
>> Hetz
>>
>>
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>
>>
> 1. If you ever plan on hitting 2 Gbit on a Cisco, you'll need some
> heavy-duty firewalls (
> http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html )
> running you > $20,000
> 2. On the other hand, I don't know how much you're paying for 2 2Gbit
> links, so "heavy-duty" firewalls might be just a drop in the bucket...
> 3. I would recommend an appropriately scaled firewall appliance
> 4. If you plan to go with Linux, make sure IPtables can actually handle
> that much bandwidth.
>
> -Mike
>
Also -
Many firewall appliances come with Active/Active and Active/Passive
configurations. If you roll-your-own linux firewall, you'll need to mess
with HSRP, VRRP, syncing configurations, syncing open connections,
monitoring your connections, and a myriad of other things which a company
who specializes in this sort of thing has already solved.
-Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110124/3f4a158f/attachment.html>
More information about the Linux-il
mailing list