> you make a number of good points, but i have to challenge one or two: Thanks. > > > Hardware firewalls cannot be software cracked, > > AFAIK hardware firewalls still run software internally. their OSes are > crackable. There have been vulnerabilities in cisco boxes, and in > speedtouch dsl modems. Yes that is true and false. Most of the OS is hardware based. There are some software parts which allow configuration and minor changes to the functioning. Some hardware has been vulnerable. It is like everything, GIGO. A good solid and proved firewall wont go changing on you over time and should remain secure. New epxlits come out for sure, and new hardware must reflect that but as the basic HW system doesn't change you don't end up being degraded accidentally to be made vulnerable to an old exploit. > > >are fast and don't absorb CPU > > time. > > well an ipcop box only uses its own cpu time - the firewall uses its own > cpu - whats the difference? My working machine doesn't have to muck around losing CPU cycles doing routine filtering or routing tasks but instead can concentrate on my needs. Its the same reason I don't play or encode MP3 files or Ogg files while programming or running a long calculation.
> >You also don't have to rebuild them every time you change boxes, > > software etc. > > I have been using the same firewall (ipcop) boxes for ages. They are > 486's in slimline cases, they can easily be moved, they run dhcp client > and server. I bet my hardware is easier to move and not as vulnerable to corruption as yours :-) comparing a tiny chocloate box sized router to a 486 box is like saying parking a tank is the same as parking a mini. Not true. > > >Another nice feature is that they can deal wth DHCP, be moved > > where ever you want, allow you to shut down your servers for maintenance > > and you can generally set and forget them. > > yes you can set and forget ipcop too, apart form looking to see if there > are security upgrades, which are easy to install. Which I have yet had need to do ... >does the netgear have > the facility to upgrade the firmware if there is a vulnerability > discovered? Yep!! >and don't say it cannot happen, a google of "netgear > vulnerability" produced this as the first hit I'm not sure if its the > same device): > http://archives.neohapsis.com/archives/nmap/2002/0004.html The example above is better for me than you I am afraid Nick. Banning all packets below 1024 is a pretty wierd thing to do and it doesn't allow intrusion. It only locks the firewall. I bet IPCop has been pentrated a few times. I am still looking for a valid penetration of the FM114P (non-wireless) on google and haven't found one. > so, although they are good looking device, i like my open source easily > upgradable, ipcop boxes thanks :-) Remember to teach it to play MP3s and CD's and then you'll be able to replace your discman too hehehehehehe Respect Shane
