Hi, my Linux gateway appliance (an old notebook), serving a small LAN with essentially just dial-on-demand DSL and basic packet filtering (SuSE firewall), just died, so I need some kind of a replacement. I wonder whether I should go the Linux appliance route (purchase some very silent, inexpensive hardware and build up a system), or whether a specialised hardware appliance would perform better (and cost less). The sole purpose of the appliance will be to provide dial-on-demand DSL services to the LAN, some very basic security (all LAN clients will be running ZoneAlarm or SuSE firewall[2]), and hopefully some VPN functionality. http://www.zyxel.com/product/dslcablesharing/p310.htm supports PPTP and IPsec passthrough. http://www.zyxel.com/product/firewall/zywall10.htm will support IPsec endpoint feature. Instead of running a client on PC your router will act as a client and this will enable AH support as well. It will be a IPsec Client/Server and it will support both IPsec protocols ESP (IP protocol 50) and AH (IP protocol 51) for both modes "transport" and "tunnel"
From a security point of view only, I'd be interested in
* how much risk is there for a vulnerability in these routers (and if there is a vulnerability, how bad can it get?); * how good is, potentially, the "protection" (through packet filtering or stateful filtering) compared to the facilities offered by the Linux 2.2 / 2.4 kernels? TIA, Stefan
Hello Stephan, I would go withsomething running linux and something that you build, sometimes it cost more money, but then you have the flexibility of the firewall that you are the one to set up and, unlimited support from people like us. I had once the mistake of buying a netgear cable router thing... well it did not work, and it did not have the flexiblility and configuration of an old P150 with Ipchains that I've used before for my main router, remember most of those routers you buy, run somekind of imbeded linux or other system they made... :) So I would suggest an old pentium box, with some ram... and 2 nick cards.. I know I had mine, and it was SuSE 6.2 with 2.2.14 and last time I rebooted it was a very long time ago. It has no monitor and the only way you can get to the login prompt is only if you use a serial cable to hook up to it. And there is another problem with buy kind of routers, most of them have some kind of range of ip's set, like my netgear only could support 25 box's... and thats strangly to say sometime can be just not enought sometimes. --Roman On Sun, Aug 26, 2001, Stefan Hoffmeister wrote:
---------------------------------- Roman Shakin rshakin@unixfreak.org (email) +1 (949) 653-2188 (phone) +1 (949) 651-7563 (voice) -----BEGIN GEEK CODE BLOCK----- Version: 3.2 GCS/CC/O d-- s++:->:+ a-- C++(++++) ULB++ P+ L++ E--- W+(-) N+ o+ K- w-- O- M+ V- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R tv++ b+++>++++ DI+ D++ G++ e- h+ r++ z+ ------END GEEK CODE BLOCK------
Hello Stefan, while Linux routers give you more flexibility, hardware routers are maintenance free, small and do not consume a lot of electricity. They usually have NAT firewall with many advanced features including DMZ. It is better to buy a router with Ethernet switch inside. I bought Linksys Etherfast BEFSR41 (it supports PPTP) and very happy with it (when I had a DSL it resolved all my problems with PPPoE). Others prefer SMC Barricade - it provides a shared printer service and a dialling with a modem when WAN fails. Please go to http://www.practicallynetworked.com/pg/recommendations.htm#HW_NAT for more information. - Alexey. _____ <mailto:alexeys@citechlabs.com> Alexey N. Solofnenko. <www.citechlabs.com> Citech Inc. Pleasant Hill, CA (GMT-8 usually)
Stefan,
As ever with these sorts of question, the answer is "it depends....". I use an old 486 with ipchains most of the time but there are times I fallback to a hardware router. Strangely, the 486 seems to provide better performance as whenever I switch over to the router I get "hey the network is real slow today". Here are some pointers to help you with your decision. In my view, those marked + are strengths. Hardware router - I like the Baracade and have satisfied customers. + Simple to configure + Low power consumption + Small physical footprint + Quiet + According to MTBF calculations, should be more reliable. - Security generally good but updates can rely on luck in discovering a new code release. - Generally useless for complex services ie those using multiple ports with inbound connections. - Logging barely sufficient + May handle protocols other than IP The above assumes you are using Domestic/SME type equipment. Linux with ipchains - satisfied customers here too. - Complex to configure properly - Moderate power consumption equivalent to a light bulb on all the time. - Sizeable footprint which is usually awkward to house unless rack mounted with other equipment - I like these ~1U boxes. + Very flexible both in control of the link and in firewall configuration + Handles inbound connections + Security is as good as you make it (others may view this as a weakness) + Good logging (if you configure it right) - I like to know what the bandits are up to. + Can cohost an IDS although from a purest point I could argue against that. + Rapid response to new threats. + & - Only handles IP although you can go beyond the TCP/UDP/ICMP of hardware routers. These are all generalisations based on my experience of Cisco/Ascend/Baracade and Linux. I have tried to steer a middle ground to highlight the pitfalls for someone who has not had the pleasure of banging their head against a brick wall trying to convince one of these hardware firewalls to do something slightly out of the ordinary. If all you want is outbound connections and maybe SMTP inbound, consider a black box. For anything else, use Linux. HTH John
: On Sun, 26 Aug 2001 23:22:12 +0100, John Trickey wrote: First of all, a big thanks to you and everybody else who has replied so far (here on the list and in private email) for well-balanced replies.
The notebook (Omnibook 800, P133) that I was running, was doing reasonably fine in this category, too, but, alas, ...
+ According to MTBF calculations, should be more reliable.
... it died after nine months of 24/7 service. Until then, it was the perfect fire-and-forget appliance. It Plainly Worked.
- Security generally good but updates can rely on luck in discovering a new code release.
This is something that does worry me to some extent. Looking at how quickly security updates for Linux defects are published is impressive. A hardware router implies * unknown OS * unknown quality of filter implementation (the functionality offered by Zyxel seems to be fine) I do not expect to get any seizable attacks (barring yet another CodeRed storm) as I am on a dynamic IP, but just looking at how some Cisco SOHO product happened to lock up on the CodeRed attack due to a firmware bug, thus constituting a somewhat accidental DoS attack, does worry me.
Yep. We are talking about hardware in the $150-$300 range - and I am really keen on the Zyxel ZyWALL 10 http://www.zyxel.com/product/firewall/zywall10.htm with the security features it is offering and with the VPN functionality they seem to be going to add in a not too distant firmware release. Logging support seems to be good, too - it will even log to a remote syslogd.
Linux with ipchains - satisfied customers here too. - Complex to configure properly
It was "relatively" easy thanks to good instructions on the SuSE site, coupled with the SuSE firewall scripts. It was not as good as plug-n-play, but, still very nice.
The notebook was very good in this respect :-(
+ Very flexible both in control of the link and in firewall configuration
I don't have the necessary *deep* knowledge about firewall configuration (nor time or inclination to read up on it), so I do have to rely on SuSE's firewall to protect things well enough.
+ Handles inbound connections
Many hardware routers should be able to do that as well - I know that at least the above-mentioned ZyWALL 10 as well as the Zyxel Prestige 310 http://www.zyxel.com/product/dslcablesharing/p310.htm do support port forwarding, which should be enough to get some very basic stuff up and running (a chroot'ed Apache in a DMZ, for instance) for spotty "serving" through a dynamic IP (using a Dynamic DNS provider).
+ Security is as good as you make it (others may view this as a weakness)
Frankly, for me this is a weakness (see above). I smell a security leak in "general" code from a large distance, but my network knowledge is basically non-existing.
+ Rapid response to new threats.
Major selling point. I tend to be paranoid in this respect - and since I am telecommuting, forced downtime due to (exploitable) threats is not something that I would like to see. The only thing - which might be quite out of the ordinary - that I really do want to do is getting onto a (specific) VPN. The old Linux setup * dynamic IP * Linux NAT router * W2K and Linux 2.2 / 2.4 clients was something that was not acceptable to the IS department. On the other hand, * static IPs * Linux NAT router * W2K or Linux 2.2 / 2.4 clients or * dynamic IP * W2K would have worked for them. I have no idea what they are running (though I just asked). The above-mentioned ZyWALL 10 will support IPsec endpoint features. Instead of running a client on PC your router will act as a client and this will enable AH support as well. It will be a IPsec Client/Server and it will support both IPsec protocols ESP (IP protocol 50) and AH (IP protocol 51) for both modes "transport" and "tunnel". Is this something a Linux solution could do as well, even when set up by an incompetent network administrator (aka me)? TIA, Stefan
Hallo, Stefan Hoffmeister schrieb:
a notebook is not made for such an operation mode. So I wonder, that it had done it for 9 month. Low Power consumption : using Zip-Drives instead of harddisk should reduce it. Or try fli4l as 1 Diskette-Router. It can use ISDN and although DSL (486/66 with 32 MB) and optional IPSEC(Free/SWan) You can find it at www.fli4l.de mfg Ralf Balzer
participants (5)
-
Alexey N. Solofnenko
-
John Trickey
-
Ralf Balzer
-
Roman Shakin
-
Stefan Hoffmeister