Wiley Siler wrote:
The question was not "can I secure a Linux box without a hardware
firewall". The question (or statement really) was "will a firewall add
jitter and lower performance".
A good firewall architecture w/QoS will actually prevent jitter and
increase performance, I might add.
That answer is obviously a big NO. Can
you secure a Linux (or even Windows) machine by closing ports? Sure.
It helps immensely. However, an advantage of hardware is that you are
physically separating the traffic from the end point.
The analogy I would use here is that you could purchase a safe for each
person in your house and have them each keep all their valuables in it,
but it is often cheaper and easier to focus on securing
entrence-points. The same is doubly true for office buildings, and also
quite true for computer networks.
I typically use used P1's running Linux for firewalls. They work great
and have all the capabilities I need including QoS and secure management.
Sure, all the
ports closed on a Linux box can protect that machine. However, having
only web (for example) traffic going to your Apache server is really
beneficial. The server can focus on delivering pages and not spend any
CPU cycles on "is this a good packet? Should I drop it?". A firewall
(software or hardware) should also be able to better deal with DOS and
things of that nature. Port securing does nothing to assist with DOS.
DOS doesn't include a TCP/IP stack does it? ;-) By "Things of that
nature" are you including CP/M?
Actually port securing can provide some measure of protection against
DoS attacks in that fewer services are available to attack. However,
you are correct that this protection is probably insignificant.
So... You are totally right, you can secure a box that way. However, a
firewall (be it software or hardware) is far superior a method.
When you say "software" or "hardware" I assume you mean hardware like
PIX and software like BlackIce. I am not sure where a stripped down
Linux version running on a P1 which does firewalling and only
firewalling fits in. I call that type of system a "hardware" firewall
simply because it is a dedicated piece of hardware which does perimiter
control and only perimiter control.
Where VOIP is concerned, use a dedicated firewall system with QoS
capabilities. Period. (Yes it is possible to run such a system on
Windows, but I certainly don't advise it.)
I
prefer the hardware method myself as it is a matter of management and
additional features. However, for some, a software method may be
better. I ran Mandrake SNF (a shorewall implementation) for a long time
so I have been there. Considering you can run a Linux firewall on a 386
machine worth $20 makes the fact that so many people don't have
firewalls seem just ridiculous.
Bear in mind that finding replacement parts (NIC's etc) for your 386 may
not be trivial..... That is why I use P1's with PCI slots.......
Also it is often impossible to get OpenGK to compile on such a machine
due to memory limitations (my P1 firewall even has this problem and it
has a whopping 32MB RAM). So the older you go, the less functionality
you may be able to add.
Best Wishes,
Chris Travers
Metatron Technology Consulting
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[EMAIL PROTECTED]
x-mozilla-html:FALSE
version:2.1
end:vcard
_______________________________________________
Asterisk-Users mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
