Re: Firewalling performance

Sat, 4 Apr 1998 14:44:46 -0500 

On Fri, Apr 03, 1998 at 03:18:05PM -0600, Eric L. Green <[EMAIL PROTECTED]> wrote:
: On Wed, 1 Apr 1998, Fred Leeflang wrote:
: >     In the company I work for, we're considering setting up a Linux
: > firewall. I do have some experience with it, know how to create firewall
: > rules and such, but I've never been in the opportunity to see how well
: > Linux holds up as a firewall under high loads. The system we're thinking
: 
: Personally I would not use Linux to do NAT and packet filtering. Most
: modern routers do NAT and packet filtering just fine (albeit at additional
: expense) and generally have specialized hardware and software to do just
: that at great speed. Linux would mostly be useful as a proxy host for the
: remainder of tasks (e.g., as a HTTP web page cache). If you're using NAT
: to run your internal network as a separate network, Linux makes a nice
: "bastion host". 

I tend to agree with the above...  However, there's a LOT more to
firewalling than packet filtering.  Do you have several offices you want 
to connect without setting up private connections?  Hook each one up to the 
net and do a VPN.  Do you want to give remote users access to corporate 
resources?  Authenticate at the firewall, and encrypt the session.

My company has been installing quite a few of the Ipsilon (now Nokia)
IP 400 at client sites.  This is a self-contained box that runs FreeBSD
as its OS, and runs the CheckPoint Firewall-1 code on top.  The box is
truly easy to hand off to people who aren't Unix propellor heads, like
us, as configuration of everything (except the firewall rule base) is
done through a web browser.  Set up interfaces, add && delete routes,
even set up routing protocols via a web browser.  They're so easy 
to configure, it's scary...

Linux makes a dynamite solution if you need to do web caching for a small
to mid-size LAN, and don't have need for authentication, encryption
or VPNs...  Since Ipsilon did a FreeBSD port of FW-1, perhaps a Linux
port is possible, if enough interest is shown...


-- 
Jason Costomiris <><            | Linux...
[EMAIL PROTECTED]              | "Find out what you've been missing 
http://www.jasons.org/~jcostom/ | while you've been rebooting Windows NT."
#include <disclaimer.h>         |         --Infoworld


-- 
  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
         To unsubscribe: mail [EMAIL PROTECTED] with 
                       "unsubscribe" as the Subject.

Reply via email to