1999-09-11-21:23:57 Tally:
> perhaps this may be the right place to ask this question.
There may well not be any right place; "OS Wars" aren't really welcome in any
venue:-).
But I think it's a very interesting question, and as I (and many others, I
think) regard the open source Unixes as the very best firewall platforms this
isn't any worse a venue than any other.
I think there are some general comments that can be made without too much
controversy; I'll see if I can stick to them.
For starters, no one of these OSes is fundamentally and completely better in
every way than any of the others. So it comes down to tradeoffs, each has
different strengths and weaknesses. Making it much harder to compare, they're
none of them standing still, they're all moving targets, so anything said
comparing strengths and weaknesses may have been true yesterday, may even be
true today, but may not be true tomorrow.
Enough with the disclaimers:-).
More important than picking one OS or another is picking a good hardware
platform. If you assemble a $150 PC with a random mix of yard-sale parts,
there's a pretty good chance that some of 'em will have suffered environmental
damage, or be weirdos of which only a few dozen were ever made with mediocre
compatibility with supported parts, or whatever. If you have $150 to spend
for a firewall grand total then that's the only way to go, but if you are
interested in a high-performance high-relibility server of _Any_ sort
including a firewall, there's no substitute for buying top-quality parts. I
don't feel guilty for recommending that a customer blow the bucks for
ludicrously expensive Compaq rackmount PCs for a website we helped him
deliver; the boxes were hassle-free and bulletproof. I'm sure with a bit of
effort specifying and testing good-quality parts you could halve the cost
of off-the-shelf-from-Compaq with no loss of reliability. And even the most
expensive generic x86 is still cheaper than other systems of comparable
performance. Besides keeping the quality-of-hardware issue in mind for your
own shopping, remember to keep it in mind when evaluating other peoples'
opinions. At the margin, with marginal hardware, otherwise unimportant
differences between implementations can tickle or refrain from tickling
hardware glitches and so cast an unfair light on the comparison. If you do end
up going with dumpster-diver hardware, it's probably wise to stay completely
open-minded on the OS and use whatever, if anything, can be made to work.
On to the OSes. By and large, Linux enjoys a larger community of people
hacking device drivers for more diverse and obscure hardware, so if the gizmo
you want to use is newer or obsolete or less popular or whatever there's a
decent chance that Linux might have support that other OSes don't. Larger
development community naturally also means more developers, and Sturgeon's Law
always applies, so it may well be that some of the drivers that Linux includes
might not be as well-written as those in an OS developed by a more select
group of programmers.
The OSes have different feels. At first blush Linux feels a little more
System-V-ish than the BSDs (which, naturally, feel BSD-ish). But all the
open source Unixes feel more like each other than any of them feel like any
commercial Unix I know of. If you end up with a choice of OSes that support
your hardware platform, this may be a good way to pick between 'em --- the one
that rubs you the right way will leave you happier. Nobody likes things that
are gratuitously different from what they're used to.
The out-of-the-box configs are appreciably different. Last I looked OpenBSD
was shipped considerably more secure than the others from a default install. I
don't give this a lot of weight, as I strip services and tighten config on
everything including OpenBSD, but others may count this one as important.
For firewall (or hardened server) use, OpenBSD (and maybe the others?) come
with IPFilter, Linux comes with IPChains (but you can install IPFilter on
Linux). IPFilter supports stateful packet filtering tracking TCP connections,
ipchains doesn't. This may be a point worth considering.
A firewall is a box that needs administering. A very important admin tool is
software packaging. I like RPM very much for software packaging, and I think
its features commend it for easing the maintenance of a firewall. MD5
checksums in the package mean that your offline media for rebuilding the
machine are also your offline validation database for auditing it. Public Key
signatures offer the prospect of automating installation of security-critical
updates from a trusted source. Nothing here that can't be retrofitted onto
another software packaging tool, but I am very happy to use RPM everywhere
(including on OpenBSD systems when I've used them in the past).
The different OSes support different hardware platforms. E.g. Red Hat Linux
supports most x86 PCs, some sparcs, and some alphas. Other Linux distributions
support other platforms. The various BSDs support a great load of different
platforms. If you want to use something other than standard x86 hardware this
might be worth looking in to.
Some OSes or distributions are better than others at doing minimal installs.
Some firewall architects regard this as an important point. I don't; I'm just
as happy doing a full install of Red Hat 6.0, at well over a gig of disk
footprint, then installing an rpm whose postinstall script arranges to remove
all the other packages that don't belong on the finished product. To some
degree I think this reflects ones comfort with software packaging tools.
I think I've run out of things to say. Or maybe I've just gotten tired. Hope
something in this morass of generalities and unjustified hand-waving is
useful.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
