> I'm confused here. Isn't that what Linux is supposed to do with IP*
> (name of the month)?
Yes.
> Why is this box more secure than Linux?
Not necessarily so. It's less complex than linux. It is not actually
running any services, with the exception of an embedded web browser if
you allow management from specified external addresses. There's
nothing at the router to attack using conventional stack-crash and
crowbar techniques. New techniques will evolve but they're not here
yet.
> What are they doing that Linux isn't?
IPSec for one - that's the thing that actually pushed me over the
edge. I was doing a host-based system. Then my wife came home with
some Nortel VPN thingy and the amount of futzing I was going to have
to do to patch in an IPSec tunnel was the straw that broke the camel's
back. The real question is what "aren't I doing once I've installed
this thing?". The answer is "getting all balled up the complexity of
configuring ipchains/iptables and keeping it all up to date". With
the appliance I plugged it in, changed the IP address of my Linux box
so that it would be on the default network for the box (192.168.123),
pointed a web browser at 192.168.123.254:80, and told it to forward a
very small number of ports to my Linux box. I then told it to
allocate 192.168.123.128 through 192.169.123.253 as DHCP space for
wired and wireless clients and set up my WEP settings.
Boom! Almost done. Had to reconfigure my TZO (dynamic DNS) agent to
go through a different port so that it would properly sense the
address of the gateway, not my host.
Firmware upgrades appear regularly. I hit the config page on the
device, select "update", it pops a dialog box with a file picker, it
uploads, updates and reboots.
My box is a cable/DSL router with packet filtering (it can also filter
outbound traffic by port by up to 3 groups of machines), a 3 port fast
ethernet switch, an 803.11b wireless basestation with 64-bit WEP, an
LPD print server with parallel port and a serial port for autodial
failover to dialup if my cable connection goes dark. It's a DHCP
server and client, I can clone my MAC addr onto it's outbound side, it
does PPPoE, PPTP and IPSec. It allows the configuration of a DMZ host
or permits the direct forward of up to 10 ports to inside addresses.
It understands funky multiport applications like game services. It's
fast, it's silent and it lets me focus my Linux security efforts on
traffic to exactly FOUR daemons on my Linux box. And it lets me read
my email on the back deck ;-).
This was for $340, 20 minute setup and 20 minutes a week maintenance.
And yeah, it has no fans...
> Or what aren't they doing that Linux is?
Linux as a host-based router is unsurpassed in it's power and
flexibility. I would want to do it on a machine that's used for
nothing but firewalling and preferably without any accessible
permanent storage at run time. For home use this means powering a
full PC carcass to run something like an LRP floppy NAT/firewall
system. For home use where space and time are at a premium I'm
just not into it.
Now at the "enterprise" level, given a choice between a Linux-based
solution and some Cisco thing I'd take the Linux solution. I'd go
through the extra hair of getting the IPSec MASQ working and I'd build
in a nice tight integration of packet filtering, proxy services and
monitoring. And I'd get paid to do it. ;-)
In Greg's case I think it's a no-brainer. Learn firewalling in a place
where AT&T isn't breathing down your neck.
While I was writing somebody at db.desicom.de tried to tickle my
nameserver and was dutifully repulsed.
ccb
--
Charles C. Bennett, Jr. VA LiNUX Systems
Systems Engineer, Northeast US 25 Burlington Mall Rd., Suite 300
+1 617 543-6513 Burlington, MA 01803-4145
[EMAIL PROTECTED] www.valinux.com
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
