creating a DMZ -- seeking firewall advice

Josh Coates jcoates at archive.org
Tue Mar 8 13:41:54 MST 2005


not to be butthead or anything, but..

>it's possible that a cisco box, running their embedded IOS instead of linux
would be a touch faster

highly unlikely.

>there are several advantages to having a DMZ for your webservers and hiding
the application and database servers on the inside, don't you think?

of course.

>Having hardware appliances might make it easier to configure

this has nothing to do with 'hardware'.  but, yes, appliances are typically
easier to configure.  but then again, iptables isn't that hard to setup.

>No need to worry about patching/locking down anything else, like you'd have
to consider with a linux box.

run debian stable and simply use iptables to lock everything down.  it's
really, really easy.

>ever tried to cut down a tree with a swiss-army knife saw-blade?

no.

okay, so it sounds like the summary is:
"i don't have time/energy to invest in learning how to do this with linux,
so i'm going to throw money at the problem to make my life easier - does
anyone know of a firewall appliance?"

this is a *perfectly valid* reason for wanting an appliance, but this is
your reasoning, no?  i was just curious about any specific reasons you had
for not just using iptables, because i'm sure there must be some good
reasons for it (i've recently been told that iptables doesnt work well w/
multiple vpn sessions for example.)

sounds like you should just go w/ pix - but at least buy 'em from ebay. ;-)

Josh Coates
http://www.jcoates.org

-----Original Message-----
From: plug-bounces at plug.org [mailto:plug-bounces at plug.org]On Behalf Of
Ryan Byrd
Sent: Tuesday, March 08, 2005 11:50 AM
To: Provo Linux Users Group Mailing List
Subject: Re: creating a DMZ -- seeking firewall advice


> but hey, you may actually *need* to upgrade for a good reason - but what
> *exactly* do you need that your iptables boxes cannot provide for you
(aside
> from the feel-good cisco brand) ?

we'll, it's possible that a cisco box, running their embedded IOS
instead of linux would be a touch faster, but regardless of whether
it's two linux boxes running iptables or two hardware firewalls, there
are several advantages to having a DMZ for your webservers and hiding
the application and database servers on the inside, don't you think?
Having hardware appliances might make it easier to configure, too,
because, well, all the hardware firewall does is, packet filter. No
need to worry about patching/locking down anything else, like you'd
have to consider with a linux box. In a very over-general sense, too,
dedicated tools seem to work better than multipurpose ones (ever tried
to cut down a tree with a swiss-army knife saw-blade?)

so, does anyone have any experience with hardware firewalls?

mrb
.===================================.
| This has been a P.L.U.G. mailing. |
|      Don't Fear the Penguin.      |
|  IRC: #utah at irc.freenode.net   |
`==================================='




More information about the PLUG mailing list