Is Linux based Gateway/Firewall feasible

Is Linux based Gateway/Firewall feasible

[Sudheer Divakaran]

Hi,

I've a local LAN consisting of about 150 machines.  I'm using a machine 
with Linux + IPTables  as the gateway machine which inturn connects to 
two different ISPs.  My question is can a Linux based machine match the 
performance of a hardware based routers provided by Cisco,... OR is my 
decision to go for a Linux based solution is a wrong one?.

Is there so much difference between these two solutions?

Can I achieve the same performance using a high end PC and Linux?

I'm asking this because one guy told me that my decision to go for a 
Linux based solution is a wrong one and it can never match the 
performance of hardware based Routers.

Thanks
Sudheer

Re: Is Linux based Gateway/Firewall feasible

[Antony Stone]

On Thursday 08 July 2004 1:10 pm, Sudheer Divakaran wrote:

> Hi,
>
> I've a local LAN consisting of about 150 machines.  I'm using a machine
> with Linux + IPTables  as the gateway machine which inturn connects to
> two different ISPs.  My question is can a Linux based machine match the
> performance of a hardware based routers provided by Cisco,... OR is my
> decision to go for a Linux based solution is a wrong one?

Are we talking about routing performance, or firewall capabilities here?

Cisco is well known as a high-cost supplier of router hardware, which (at the 
highest costs) is very high performance.

Netfilter is a high-reliability, high-security and flexible firewall solution 
(with zero cost for the software, but non-zero cost for the hardware and the 
configuration expertise).

150 machines is not many - however the important question is how much traffic 
they generate through the firewall.

> Is there so much difference between these two solutions?

There are many differences - cost, performance, flexibility, support, bug 
fixes, warranty, brand-name....

You have to decide which of these you want, and which you don't, before the 
choice becomes clear.

I would say, if you want a firewall with low cost, good performance, high 
flexibility, widespread technical support, rapid bug fixes, no warranty, and 
the "netfilter / Linux" brand name, then choose netfilter.

If you want a high cost router, especially for very high performance (or 
medium cost for surprisingly low performance), less flexibility, single-point 
support, slower bug-fixes, hardware warranty, and the "Cisco" brand name, 
then choose Cisco.

> Can I achieve the same performance using a high end PC and Linux?

Same as what?

> I'm asking this because one guy told me that my decision to go for a
> Linux based solution is a wrong one and it can never match the
> performance of hardware based Routers.

Well, what do you want to do with it?   Do you have an Internet connection 
faster than 100 Mbps?   If not, then Linux / netfilter will easily do what 
you want.   If yes, then you will need to pay a fair amount of money for the 
hardware to run Linux / netfilter on, but you can still do it (and I'll bet 
the cost of the hardware is still less than the equivalent system from 
Cisco).

So, you can point at a $50k Cisco fireweall / router and say "your P4 Linux 
box with 512Mbytes RAM can't do what that can do", and you'd be right.

However, you can point at a $1k or $2k P4 Linux box with 512Mbytes RAM and say 
"this can outperform your Cisco PIX 501".

The important question is always "what do you want to do with it?", and the 
next question is "what features are important to you (technical and 
non-technical)?"

Also, if you're interested in security, check the warranties / guarantees / 
promises made about the security of any products from a commercial vendor - 
you might be surprised at how little they differ from netfilter (which 
doesn't have a warranty or guarantee).

Hope this helps,

Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Is Linux based Gateway/Firewall feasible

[Mike O]

I'd like to chime in here considering I brought this topic up a few years 
ago. From a standpoint of routing data from one subnet to another with high 
speed serial interfaces etc.. nothing beats a cisco. Cisco routers have 
special ASIC(application specific intergrated circuits) that do nothing but 
routing and other features.

Now from a firewall standpoint, this is were Linux really shines. Cisco PIX 
firewalls are all based on Intel processors (even celeron) and PC 
architecture. So any machine with a 1ghz and gig of memory should out 
perform any PIX firewall. One thing PIX does bring to the table is failover 
but its expensive. I think any properly configured Linux cluster could give 
PIX failover a run for there money. Price a PIX 525 to a redundant Dell or 
HP slimline with Linux and I think you will be surprised.

-Mike


>From: Sudheer Divakaran <sudheer@svw.com>
>To: netfilter@lists.netfilter.org
>Subject: Is Linux based Gateway/Firewall feasible
>Date: Thu, 08 Jul 2004 17:40:33 +0530
>
>Hi,
>
>I've a local LAN consisting of about 150 machines.  I'm using a machine 
>with Linux + IPTables  as the gateway machine which inturn connects to two 
>different ISPs.  My question is can a Linux based machine match the 
>performance of a hardware based routers provided by Cisco,... OR is my 
>decision to go for a Linux based solution is a wrong one?.
>
>Is there so much difference between these two solutions?
>
>Can I achieve the same performance using a high end PC and Linux?
>
>I'm asking this because one guy told me that my decision to go for a Linux 
>based solution is a wrong one and it can never match the performance of 
>hardware based Routers.
>
>Thanks
>Sudheer
>

Re: Is Linux based Gateway/Firewall feasible

[Antony Stone]

On Thursday 08 July 2004 2:21 pm, Mike O wrote:

> I'd like to chime in here considering I brought this topic up a few years
> ago. From a standpoint of routing data from one subnet to another with high
> speed serial interfaces etc.. nothing beats a cisco. Cisco routers have
> special ASIC(application specific intergrated circuits) that do nothing but
> routing and other features.

That's true, however the benefits of ASICs (in this context) are throughput 
and latency.   If you don't have a high-speed (by which I mean more than 
about 10Mbps) pipe to the Internet, then throughput is not an issue (ie: your 
firewall / router is not the bottleneck in the system), and as for latency, 
well how important is it to you really?

A Linux box with a Sangoma WAN card will happily connect directly into a high 
speed serial port on a Telco NTU, and I've yet to see any external connection 
running at less than ATM speeds (155Mbps or 625Mbps) where a Linux system 
can't handle the packets.

My feeling is that unless you're an ISP in the core of the Internet, where the 
important features are gigabit routing, dynamic routing protocol support, and 
apart from dropping a few RFC1918 addresses, you're not trying to do any 
firewalling, then you don't need to spend money on a dedicated router when a 
Linux system will do all the routing you need and supply firewalling and 
traffic control if you want it as well.

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Is Linux based Gateway/Firewall feasible

[Marco Colombo]

On Thu, 8 Jul 2004, Sudheer Divakaran wrote:

> Hi,
> 
> I've a local LAN consisting of about 150 machines.  I'm using a machine 
> with Linux + IPTables  as the gateway machine which inturn connects to 
> two different ISPs.  My question is can a Linux based machine match the 
> performance of a hardware based routers provided by Cisco,... OR is my 
> decision to go for a Linux based solution is a wrong one?.
> 
> Is there so much difference between these two solutions?
> 
> Can I achieve the same performance using a high end PC and Linux?
> 
> I'm asking this because one guy told me that my decision to go for a 
> Linux based solution is a wrong one and it can never match the 
> performance of hardware based Routers.

iptables is not concerned with routing. If you're comparing 
a Cisco _routing_ solution with a linux-based one, this is the wrong
list I think. There are many things to consider: raw performances,
routing software (are you running EIGRP?) and so on, all off topic here.

Despite, ask that guy to show you a real 'hardware based router'.
That is, remove any software (IOS) from a Cisco piece of hardware
and see how it performs. Ciscos (but high end ones only) do have
specialized hardware, so you may refer to it as "hardware-assisted
routing", no more. But they're software-based routers, too.
Again, this is quite off topic.

iptables is about filtering, NATing, mangling IP packets (am I missing
anything?). Yeah, Ciscos can do that too. But, please correct me
if I'm wrong, I'm not aware of _any_ hardware that assists them in
that. So it's not hardware-based filtering anyway. It's all in software.

The following rule:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

which may make sense in simple setups, takes _global_ decisions,
hardly it can be "distributed" to interface processors (think of
packets belonging to the same flow that may arrive from two different
interfaces).

In the end, the right question is: how do iptables compare to IOS
access-lists? I'll leave the comparison to others. All I know is
that there's no UNIX shell running on a Cisco. There's no UNIX-like
environment. Put two lines in crontab, and have them invoke a script
that sets iptables up, passing it a parameter (night/day), in order
to implement less permissive rules at night and during weekends.
Now do the same with a Cisco. You get the idea.

.TM.
-- 
      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/		       Colombo@ESI.it

Re: Is Linux based Gateway/Firewall feasible

[Sudheer Divakaran]

Hi,
    If I'have mislead anyone, I'm Sorry.  I was talking about NATing.

Thanks,
Sudheer



Marco Colombo wrote:

>On Thu, 8 Jul 2004, Sudheer Divakaran wrote:
>
>  
>
>>Hi,
>>
>>I've a local LAN consisting of about 150 machines.  I'm using a machine 
>>with Linux + IPTables  as the gateway machine which inturn connects to 
>>two different ISPs.  My question is can a Linux based machine match the 
>>performance of a hardware based routers provided by Cisco,... OR is my 
>>decision to go for a Linux based solution is a wrong one?.
>>
>>Is there so much difference between these two solutions?
>>
>>Can I achieve the same performance using a high end PC and Linux?
>>
>>I'm asking this because one guy told me that my decision to go for a 
>>Linux based solution is a wrong one and it can never match the 
>>performance of hardware based Routers.
>>    
>>
>
>iptables is not concerned with routing. If you're comparing 
>a Cisco _routing_ solution with a linux-based one, this is the wrong
>list I think. There are many things to consider: raw performances,
>routing software (are you running EIGRP?) and so on, all off topic here.
>
>Despite, ask that guy to show you a real 'hardware based router'.
>That is, remove any software (IOS) from a Cisco piece of hardware
>and see how it performs. Ciscos (but high end ones only) do have
>specialized hardware, so you may refer to it as "hardware-assisted
>routing", no more. But they're software-based routers, too.
>Again, this is quite off topic.
>
>iptables is about filtering, NATing, mangling IP packets (am I missing
>anything?). Yeah, Ciscos can do that too. But, please correct me
>if I'm wrong, I'm not aware of _any_ hardware that assists them in
>that. So it's not hardware-based filtering anyway. It's all in software.
>
>The following rule:
>
>iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>which may make sense in simple setups, takes _global_ decisions,
>hardly it can be "distributed" to interface processors (think of
>packets belonging to the same flow that may arrive from two different
>interfaces).
>
>In the end, the right question is: how do iptables compare to IOS
>access-lists? I'll leave the comparison to others. All I know is
>that there's no UNIX shell running on a Cisco. There's no UNIX-like
>environment. Put two lines in crontab, and have them invoke a script
>that sets iptables up, passing it a parameter (night/day), in order
>to implement less permissive rules at night and during weekends.
>Now do the same with a Cisco. You get the idea.
>
>.TM.
>  
>

Re: Is Linux based Gateway/Firewall feasible

[Cedric Blancher]

Le jeu 08/07/2004 à 14:10, Sudheer Divakaran a écrit :
> I'm asking this because one guy told me that my decision to go for a 
> Linux based solution is a wrong one and it can never match the 
> performance of hardware based Routers.

While this statement is not true regarding low end Cisco products : my
home "ye old good" P233MMX performs better at routing/firewall than a
Cisco 827 router with IOS Firewall. Not mentioning price... Stressed, I
got 50Mbps total passthrough using DLink quad ethernet adapter, router
optimize kernel and ratherly clean ruleset, what is largely overperforms
my needs...

Now, one can tell you that a Cisco 7200 serie will perform far better
than a PC architectured solution based on Linux, which will probably be
true. But, the thing you should consider first is whether you need this
performance or not. I mean I could plug a 7200 on my home LAN, with
gigabit interface, connected to a 2950 switch and so on. It will perform
far better than my Linux box. But, in my context which is 5Mbps ADSL
link, 3 Wifi 54g laptops and 1 box, I certainly don't need this
overpowerful and overpriced solution.

Now you can stress your Linux box to bench it, and see if it offers
bandwidth and latency you need now, and fits your future evolution
plans. And don't forget a high end PC with PCI 64bits gigabit adapter is
often cheaper than most Cisco stuff...

Finally, you have to take in account the fact that a Linux based
solution is de facto full featured, as with stock 2.6 kernel, you have :

	. routing
	. advanded policy routing
	. QoS
	. stateful firewalling from layer 2 to layer 5
	. 802.3ad bonding (see Cisco Etherchannel)
	. 802.1q VLAN support
	. etc...

Which is not necessarily the case of Cisco routers with stock IOS, not
mentionning the fact that some Cisco routers cannot be shipped with all
available features because of a too small Flash/RAM amount.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Is Linux based Gateway/Firewall feasible

[Daniel F. Chief Security Engineer -]

In my experience I would use a router and a firewall as separate devices. I 
use Juniper routers and Linux firewalls. My network pushes about 800Mbs at 
peak, we have over 4000 servers. And I have found using linux firewalls as 
the gateway and then having the router in front to handle all of the WAN 
connections works out best. 

hope this helps.  


On Thursday 08 July 2004 07:10, Sudheer Divakaran wrote:
> Hi,
>
> I've a local LAN consisting of about 150 machines.  I'm using a machine
> with Linux + IPTables  as the gateway machine which inturn connects to
> two different ISPs.  My question is can a Linux based machine match the
> performance of a hardware based routers provided by Cisco,... OR is my
> decision to go for a Linux based solution is a wrong one?.
>
> Is there so much difference between these two solutions?
>
> Can I achieve the same performance using a high end PC and Linux?
>
> I'm asking this because one guy told me that my decision to go for a
> Linux based solution is a wrong one and it can never match the
> performance of hardware based Routers.
>
> Thanks
> Sudheer

-- 
"Unix IS user-friendly. It's just picky about who its friends are."
_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_
Daniel Fairchild - Chief Security Officer | danielf@supportteam.net
C I Host. 1851 Central Drive Suite 110. Bedford, TX 76021
T. 888.868.9931 ext 7103
F. 888.241.2294
http://www.cihost.com
-------------------------------------------
Privileged/Confidential Information may be contained in this message.  If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone.  In such case, you should destroy this message and kindly
notify the sender by reply email.  Please advise immediately if you or your
employer do not consent to Internet email for messages of this kind.
Opinions, conclusions and other information in this message that do not
relate to the official business of my firm shall be understood as neither
given nor endorsed by it.

Re: Is Linux based Gateway/Firewall feasible

[Cedric Blancher]

Le jeu 08/07/2004 à 16:30, Sudheer Divakaran a écrit :
>     If I'have mislead anyone, I'm Sorry.  I was talking about NATing.

Definitly use Linux then. From all the firewalls I tested and used,
Netfilter is the most complete, efficient and easy-going NAT solution I
ever seen. You can perform any kind of NAT you want, either for good or
baaaaaaad stuff :P


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Is Linux based Gateway/Firewall feasible

[Marco Colombo]

On Fri, 9 Jul 2004, Cedric Blancher wrote:

> Le jeu 08/07/2004 à 16:30, Sudheer Divakaran a écrit :
> >     If I'have mislead anyone, I'm Sorry.  I was talking about NATing.
> 
> Definitly use Linux then. From all the firewalls I tested and used,
> Netfilter is the most complete, efficient and easy-going NAT solution I
> ever seen. You can perform any kind of NAT you want, either for good or
> baaaaaaad stuff :P

For NAT, you'd better list which applications you need to support.
Some of them need (mostly due to bad design) special support on 
the NAT box. Linux won't support all of them.

Of course this is true for any NAT solution, Cisco included.
So first make sure you have all the functionality you need.

I think you may find the following link useful:
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html

.TM.
-- 
      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/		       Colombo@ESI.it