I've been considering switching my companies production firewall from FreeBSD and OpenBSD to Linux. The reason being is having so many different flavors of Unix on our production network from FreeBSD, OpenBSD, Solaris, and Linux makes things more difficult to manage from a standardized perspective. I really like OpenBSD firewalls. The os is clean, the code is tight, very small, and very secure. But having one flavor of Unix (namely Linux) would make things a lot simpler to manage. I've also been considering other firewalls from Cisco and Checkpoint (I think I'll stay away from Raptor). I wanted to know everyones opinions about using Linux for a commercial firewall in a corporate/production environment. If anyone out there uses it, has comments, suggestions, or bad experiences, I could really use the input from other admins. Thanks.
Well, I do have to say, if it ain't broken, why fix it? But if you really want to switch away from OpenBSD, I agree with staying away from Raptor. I personally would stay away from Checkpoint as well. I haven't seen many problems with the Cisco Pix systems, and a few of our firewalls at work are in fact Pix.
If you really want to check out Linux firewalling, see here:
It gives some good information on iptables (the newest and greatest from the 2.4.* kernel). Iptables give you many many new abilities over previous incarnations in Linux firewalling.
You can spoof your true operating system and version, a move in the direction of stateful packet filtering, and more! If you decide to go the way of Linux, I think you'll do fine, provided you study up and do some testing before placing it in production.
If you have some time, ANtiOnline put out an article the other day,
PIX has an issue with SMTP traffic, it will allow trafiic through and may allow for compromise on mis-configured or older SMTP setups. There is no workaround nor any fix, Cisco is suggesting using another way of securing your smtp server.
Sorry for what seems like a bit of a dig, it's not meant as such,
I agree with the previous poster, if it ain't broke, don;t fix it, but if you really want to change, keep in mind:
Linux ( as of ipchains, not sure with iptables) is a fast firewall, it reads from teh bottom up on the rules file and the first match counts. This makes for fast processing.
BSD, uses berkeley packet filter and reads from the top down with a last match counts ideal. this is slower, but it is much more thorough. that packet will pass through every rule applicable to itself and see what matches and what doesn't. the read is also from the top down, this is a much more understandable format to write rules in \(for most, anyway\).
It somes to what you want to be saddled with, and which one can you config better/recover faster? Assuming this is your firewall, I am also assuming that you'll want to run SNort or something equally useful inside. A firewall is only a barrier, an IDS is a tool.
Now, if I could go religious on you for a minute...
I've heard from many of the Linux advocates that I work with that "standardizing on one operating system is EXACTLY what is wrong with the Windows approach, that is why they champion Open Source and Linux. Why then, does EVERY ONE of them want EVERYONE to run EVERYTHING on Linux?!?! Isn't that really the same crap in a different pile? I'm not down on Linux, and I don't hate Microsoft, they have done some things I think are fine, but I really think that some of the zealots I work with (I'm not inclusive, I'm only ranting about the ones I know) ought ot take a look at what they are saying and compare it to the Microsoft literature. They might be surprised at how alike they sound in some respects.
I'll get down now,
loadc