RE: [suse-security] Linux router vs hardware router
+ According to MTBF calculations, should be more reliable.
... it died after nine months of 24/7 service. Until then, it was the perfect fire-and-forget appliance. It Plainly Worked.
9 months * 30 days/month * 24 hrs/day = 6480 hrs. I don't know what MTBFs appliance vendors usually claim, but 9 months isn't really a lot in my book. I expect routers, switches, etc. to be up a lot longer without exhibiting a failure. You could probably increase the MTBF of a Linux setup considerably by using a CPU and video card with low power consumption (requires less cooling -- fans like to fail, use good ones) and replacing the hard drive with plenty of RAM. Boot from CD, use a RAM-drive for the RW portions of the file system, store the configuration files, which change rather frequently, on floppy disk. This will be rather difficult to do with a stock SuSE system, though it might well be possible. If what you say about your level of networking expertise transfers to your Linux abilities, I wouldn't recommend it to you. No offence. ;-)
- Security generally good but updates can rely on luck in discovering a new code release.
This is something that does worry me to some extent. Looking at how quickly security updates for Linux defects are published is impressive. A hardware router implies
* unknown OS
I suppose most of them have a DOS or free Unix history. I don't know about the lower end, but most of the enterprise-grade appliances use modified versions of Linux or Open/Free/Net-BSD. I think the development of an own OS is way too expensive for the SOHO market.
* unknown quality of filter implementation (the functionality offered by Zyxel seems to be fine)
I wouldn't expect too much from them. It's closed source, low price. I don't put much faith into that combination, but that's just my personal opinion.
I do not expect to get any seizable attacks (barring yet another CodeRed storm) as I am on a dynamic IP, but just looking at how some Cisco SOHO product happened to lock up on the CodeRed attack due to a firmware bug, thus constituting a somewhat accidental DoS attack, does worry me.
+ Rapid response to new threats.
Major selling point. I tend to be paranoid in this respect - and since I am telecommuting, forced downtime due to (exploitable) threats is not something that I would like to see.
From my observations (which aren't many), the SOHO router market seems to rely on vulnerabilities not being found, i.e. security by obscurity. Alcatel, e.g., made a fundamental mistake in the default setup of their DSL
Goes to show that a brand name doesn't do it all. Lots of the industry giants have acquired all sorts of small companies lately and now sell their products, which means that the giants' product lines are very heterogenous and that experiences with some of a vendor's products don't necessarily carry over to others. thingies a while back. These types of errors are especially problematic with appliances meant for more or less clueless folks (no implication!), as those certainly won't be able to find and remove them.
The only thing - which might be quite out of the ordinary - that I really do want to do is getting onto a (specific) VPN. The old Linux setup
Then what are the specifics of that VPN?
* dynamic IP * Linux NAT router * W2K and Linux 2.2 / 2.4 clients
was something that was not acceptable to the IS department. On the other hand,
* static IPs * Linux NAT router * W2K or Linux 2.2 / 2.4 clients
or
* dynamic IP * W2K
would have worked for them. I have no idea what they are running (though I just asked).
The reasons behind the above would be very interesting.
The above-mentioned ZyWALL 10 will support IPsec endpoint features. Instead of running a client on PC your router will act as a client and this will enable AH support as well. It will be a IPsec Client/Server and it will support both IPsec protocols ESP (IP protocol 50) and AH (IP protocol 51) for both modes "transport" and "tunnel". Is this something a Linux solution could do as well, even when set up by an incompetent network administrator (aka me)?
A Linux gateway with FreeS/WAN will work as an IPSec gateway as well, i.e. you can use tunnel mode and ESP (AH, too, if you want, though it adds nothing substantial in terms of security -- in fact, Bruce Schneier and a less famous co-author recommend that IPSec drop AH for reasons of removing redundancy) to connect the gateway and machines behind it to a similar IPSec gateway. Note that the terms 'client' and 'server' don't apply well to IPSec, as that is always a peer-to-peer thing. What the industry likes to call clients are Road Warriors in FreeS/WAN-speak, while the term 'VPN server' usually means IPSec tunnel mode gateways. FreeS/WAN setup is anywhere between dead simple and impossible, depending entirely on the specific situation. Interoperation with other products can be challenging, but I am sure this is no different with any other product. We've just tried to set up W2K Professional (Road Warrior) to FreeS/WAN (tunnel gateway) connectivity, e.g., and it simply won't work, because W2Kprof doesn't support tunnel mode, *but* allows you to specify a tunnel end point. That effectively silences the NIC (or dial-up adapter) completely... Cool, huh? The point is that IPSec interoperability isn't as good as would be desirable, and FreeS/WAN is no exception. Don't let Zyxel blind you, though, I'd be skeptical of their interoperability. Cheers Tobias
On August 27, 2001 06:16 am, Reckhard, Tobias wrote:
You could probably increase the MTBF of a Linux setup considerably by using a CPU and video card with low power consumption (requires less cooling -- fans like to fail, use good ones) and replacing the hard drive with plenty of RAM. Boot from CD, use a RAM-drive for the RW portions of the file system, store the configuration files, which change rather frequently, on floppy disk.
I haven't looked at coyote linux in a while but last time I did. It required a 486/DX with 32meg of ram. Floppy drive. No HD or video card needed. Only the power supply fan would be running. I don't even remember CPU fans on those chips. I think it handles the various jobs that are being asked about. Simple to setup. http://www.coyotelinux.com/techspec.php Just check out the specs and if it's right it sure is a low hardware requirement system. Nick
: On Mon, 27 Aug 2001 08:16:30 +0200, Reckhard, Tobias wrote:
9 months * 30 days/month * 24 hrs/day = 6480 hrs. I don't know what MTBFs appliance vendors usually claim, but 9 months isn't really a lot in my book.
No, and I was hoping for more out of that notebook :-(
If what you say about your level of networking expertise transfers to your Linux abilities, I wouldn't recommend it to you. No offence. ;-)
Not offence taken - I am that necessary little bit better ;-), but we now run into cost and time issues. The router ought to be dead silent, and finding a power supply unit and a CPU cooler that deliver that, AFAICS, is a nightmare.
The only thing - which might be quite out of the ordinary - that I really do want to do is getting onto a (specific) VPN. The old Linux setup
Then what are the specifics of that VPN?
This is the email reply I just got: <quote> We're still looking for a suitable device with IPSEC passthru that actually works. The ones you mentioned [i.e. the Zyxels] have a relatively serious flaw: one tunnel per bundle, and we run 5 separate tunnels in 1 bundle, so that feature probably won't work. Having the DSL router be a VPN client end-point is not possible, since I'd have to actually route to you, and we're not going to be able to support that for various reasons. </quote> He also said <quote> I'd suggest a simple DSL modem, and a w2k box runing microsoft ICS and the vpn client and zonealarm pro (those last 2 things, we provide. microsoft ics comes with 98/ME/2kpro and is relatively easy to use. </quote> Incidentally, this (without VPN) is exactly my current setup, which I don't want to run for a variety of reasons: * my workstation would have to run 24/7, sucking power like nothing * I don't feel well at all about my work-station being connected directly to the Internet * dial-on-demand has a design defect (it won't dial unless someone has logged into the W2K box) IOW, I do need an appliance, a dedicated router. And, if possible, I'd really love to be able to get onto that VPN. TIA, Stefa
On Mon, Aug 27, 2001 at 02:40:22PM +0200, Stefan Hoffmeister wrote:
: On Mon, 27 Aug 2001 08:16:30 +0200, Reckhard, Tobias wrote:
9 months * 30 days/month * 24 hrs/day = 6480 hrs. I don't know what MTBFs appliance vendors usually claim, but 9 months isn't really a lot in my book.
No, and I was hoping for more out of that notebook :-( This is no criticism or anything like that. It's only intended to be a little hint (and believe me, I know what I'm talking about... ;)
Did you consider what this kind of hardware is made for? Notebooks aren't made for continous operation. They don't have that cooling fans and so on. Not even some desktop boxes are optimal for this operation conditions. They are getting much too warm for permanent operation, often hard disks fail due to overheating. Some CPU coolers get stuck because of oil aging, dust in combination of high temperature and the environmental air pollutions. So bearings get stuck, temperature is rising and the collapse is perfect. Therefore it's much better to coose some old 486board in at least a miditower with big but low frequency operating cooler. This combination is best for permanent operating. -- Gruß, Wolfgang ------------------------------------------------------------ Wolfgang Wilde, Ampr: dg7nef.ampr.org Austrasse 96 44.130.62.20 -o) 90429 Nuremberg, Email: wwilde@uumail.de /\\ Germany WWW: http://www.suse.de/ _\_v ------------------------------------------------------------
participants (4)
-
Nick Zentena -
Reckhard, Tobias -
Stefan Hoffmeister -
Wolfgang Wilde