Firewall Wizards mailing list archives
Re: Firewall Throughput
From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 12 Sep 2000 08:15:11 +1100 (EST)
In some email I received from Patrick Darden, sie wrote:
Darren, "Cisco push it along the lines of 'you don't want unix/windows on your firewall because they're crashable'" I would like to know where they state that. It would be pretty hypocritical as the PIX has a Unix based OS (Plan 9).
http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm Look for the words "Non-Unix" (strictly speaking, this *is* true even if it is Plan 9). They're different, they need a marketting angle, they drive it.
"You damn well don't want a router as a firewall" I don't know of many firewalls that aren't routers as well, that includes the IP Filter you seem to like so much and even the BSD-based NOKIA running Checkpoint FW1. Application-layer proxy based firewalls usually aren't routers, but otherwise...
Router = thing which tftp's boot images, does BGP4, has no hard disk, etc. Or to put it more succinctly in this thread, a Cisco 1234 thing. You don't use unix boxes to do routing when you're serious about routing and likewise you shouldn't use routers to do firewalling when you're serious about firewalling. If I'm really serious about security then I *will* use/recommend a proxy firewall, even in addition to anything else which is there. There are some things they offer which just can't be matched, in terms of security, by any packet-filtering based firewall.
"I *refuse* to believe that Linux is a reliable/secure platform" No offense, but I have Solaris, BSD, AIX, and Linux running here--and all of them are stable and reliable. I had one hard-used Linux server running for almost 2 years before I recently took it down for some upgrades.
Do yourself a favour and stay ignorant of the development methodology that goes on "behind the scenes" with Linux. What are they now, 2.4.pre34-test83, and still making major architectural changes inside it. That's *insane*. Sure, Solaris is stable, but you can't strap it down as securely as you can BSD, plus you get source code for BSD. Darren _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Firewall Throughput Benson Hill (Sep 05)
- Re: Firewall Throughput Darren Reed (Sep 06)
- Lucent Managed Firewall Surapong Singshinsuk (Sep 07)
- Re: Lucent Managed Firewall Graham Allan (Sep 07)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 13)
- Vague Negative Blah Patrick Darden (Sep 14)
- Re: Firewall Throughput Ryan Russell (Sep 14)
- RE: Firewall Throughput JVBrown (Sep 13)
- Lucent Managed Firewall Surapong Singshinsuk (Sep 07)
- RE: Firewall Throughput Robert Purdy (Sep 13)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- Re: Firewall Throughput Darren Reed (Sep 06)
- RE: Firewall Throughput Chris Cappuccio (Sep 14)