Ryan Byrd wrote:
but hey, you may actually *need* to upgrade for a good reason - but what
*exactly* do you need that your iptables boxes cannot provide for you (aside
from the feel-good cisco brand) ?
we'll, it's possible that a cisco box, running their embedded IOS
instead of linux would be a touch faster, but regardless of whether
it's two linux boxes running iptables or two hardware firewalls, there
are several advantages to having a DMZ for your webservers and hiding
the application and database servers on the inside, don't you think?
Having hardware appliances might make it easier to configure, too,
because, well, all the hardware firewall does is, packet filter. No
need to worry about patching/locking down anything else, like you'd
have to consider with a linux box. In a very over-general sense, too,
dedicated tools seem to work better than multipurpose ones (ever tried
to cut down a tree with a swiss-army knife saw-blade?)
so, does anyone have any experience with hardware firewalls?
mrb
.===================================.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`==================================='
As far as efficiency, I gathered from various research that the Linux
distros that are focused on being firewalls and pretty good at it and
not nearly as much bloat to trim from just a generic Linux install. And
if Cisco does all the "features" that most commercial firewalls do, I.E.
employee micromanagement, then I doubt that are all that efficient
anyway. Our Firebox does what a firewall should, no doubt, but it does
a very large list of other things as well. I think if you take a Linux
distro that intends to be nothing but a firewall, you would end up being
more efficient then a commercial device. But I'm not a Firewall guru by
any means, just spent a few months using our Firebox and some casual
reading.
Eric Jensen
.===================================.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`==================================='
