Is Linux IPTABLES firewall comparable with license Firewall

Is Linux IPTABLES firewall comparable with license Firewall

[ads nat]

Hi,
I don't know whether this is right list for my
question.

I am facing basic problem while convincing to users. I
have implemented IPTABLES firewall on my Linux 8.0
server. I am frequently asked by users which
firewall/security measures are taken for my network.
My competitors use Checkpoint Firewall. 
Can somebody guide me how to convince my users that
Linux IPTABLES Firewall is technically at par with
commercial Firewall such as checkpoint.

Also if same security policies are adopted for
IPTABLES and checkpoint, Is IPTABLES technically at
par with commercial FIREWALLs?

Thanks




__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: Is Linux IPTABLES firewall comparable with license Firewall

[Joel]

Linux based products generally use iptables for firewall.
i dont know much checkpoint.
firewall using iptables is mostly used on the internet..
if u know what u want to open and what u have to block then iptables is the
ultimate choice.
i dont have issues with it.

joel

----- Original Message -----
From: "ads nat" <adsnat@yahoo.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, October 18, 2003 2:48 PM
Subject: Is Linux IPTABLES firewall comparable with license Firewall


> Hi,
> I don't know whether this is right list for my
> question.
>
> I am facing basic problem while convincing to users. I
> have implemented IPTABLES firewall on my Linux 8.0
> server. I am frequently asked by users which
> firewall/security measures are taken for my network.
> My competitors use Checkpoint Firewall.
> Can somebody guide me how to convince my users that
> Linux IPTABLES Firewall is technically at par with
> commercial Firewall such as checkpoint.
>
> Also if same security policies are adopted for
> IPTABLES and checkpoint, Is IPTABLES technically at
> par with commercial FIREWALLs?
>
> Thanks
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>

RE: Is Linux IPTABLES firewall comparable with license Firewall

[Mark E. Donaldson]

If you're looking for a technical whitepaper with comparative performance
statistics, there is none that I am aware of.  I think to really understand
the power, capabilities, and flexibility of IPTables/netfilter, you have to
use.  Having done that, it then becomes apparent that it can do anything
Checkpoint can, and perhaps more.  Then you ask:  How much did I pay for
IPTables/netfilter, and how much did they pay for Checkpoint?  Case closed.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of ads nat
Sent: Saturday, October 18, 2003 2:18 AM
To: netfilter@lists.netfilter.org
Subject: Is Linux IPTABLES firewall comparable with license Firewall


Hi,
I don't know whether this is right list for my
question.

I am facing basic problem while convincing to users. I
have implemented IPTABLES firewall on my Linux 8.0
server. I am frequently asked by users which
firewall/security measures are taken for my network.
My competitors use Checkpoint Firewall.
Can somebody guide me how to convince my users that
Linux IPTABLES Firewall is technically at par with
commercial Firewall such as checkpoint.

Also if same security policies are adopted for
IPTABLES and checkpoint, Is IPTABLES technically at
par with commercial FIREWALLs?

Thanks




__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: Is Linux IPTABLES firewall comparable with license Firewall

[Josh Berry]

I don't know if anyone has read the latest Information Security magazine,
but they do a comparison between IPTables and Checkpoint.  To sum up the
article, IPTables has the same functionality and can potentially perform
better if properly setup, however Checkpoint is (obviously) much easier to
manage.  So if you have the technical knowledge to maintain the firewall,
I would go with IPTables.  With IPTables you can also take advantage of
many other add-on's that would cost thousands of dollars to implement
otherwise such as QoS control with tc, full-featured routing with iproute2
and IPS functionality with Snort-Inline.


> Hi,
> I don't know whether this is right list for my
> question.
>
> I am facing basic problem while convincing to users. I
> have implemented IPTABLES firewall on my Linux 8.0
> server. I am frequently asked by users which
> firewall/security measures are taken for my network.
> My competitors use Checkpoint Firewall.
> Can somebody guide me how to convince my users that
> Linux IPTABLES Firewall is technically at par with
> commercial Firewall such as checkpoint.
>
> Also if same security policies are adopted for
> IPTABLES and checkpoint, Is IPTABLES technically at
> par with commercial FIREWALLs?
>
> Thanks
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry@linknet-solutions.com

Re: Is Linux IPTABLES firewall comparable with license Firewall

[Stephen Satchell]

At 02:18 AM 10/18/2003 -0700, ads nat wrote:
>My competitors use Checkpoint Firewall.
>Can somebody guide me how to convince my users that
>Linux IPTABLES Firewall is technically at par with
>commercial Firewall such as checkpoint.
>
>Also if same security policies are adopted for
>IPTABLES and checkpoint, Is IPTABLES technically at
>par with commercial FIREWALLs?

I run sites with Linux firewalls, and I run sites using SonicWall SOHO 
10s.  During a client demo a year ago, I mentioned I did both, that each 
has their strengths and weaknesses, and at one site I did both in 
tandem.    I use a standard set of rules in both sets of products, with 
customization where needed to fit particular client needs.

One customer wanted to know "what's the difference" between the commercial 
firewall appliance and the one I build using Linux.  So out came my copy of 
nmap, and I showed how both types of systems prevented break-in 
attempts.  The results were a little difference with each product, of 
course, but the customer was convinced that "goodness" wasn't a selection 
criterion.  Instead, he focused his attention where it was really needed, 
the workload and bandwidth the firewall had to handle.

(N.B.:  How that one worked out:  space was also a consideration, and the 
customer felt that the SOHO 50, the bigger brother to the SOHO 10, would 
fit physically better for his needs.  I don't like notebook cases at all, 
even when I'm running Pentium 166 chips, so I didn't argue.  If he had had 
the room for a 1U box, the Linux solution would have won, and may still win 
yet if he doesn't stop growing soon.)




-- 
If the automobile had followed the same development as the computer, a 
Rolls-Royce would today cost $100, get a million miles per gallon, and 
explode once a year killing everyone inside.  --Robert Cringely  

Re: Is Linux IPTABLES firewall comparable with license Firewall

[Matt Hellman]

ads nat wrote:
> Hi,
> I don't know whether this is right list for my
> question.
> 
> I am facing basic problem while convincing to users. I
> have implemented IPTABLES firewall on my Linux 8.0
> server. I am frequently asked by users which
> firewall/security measures are taken for my network.
> My competitors use Checkpoint Firewall. 
> Can somebody guide me how to convince my users that
> Linux IPTABLES Firewall is technically at par with
> commercial Firewall such as checkpoint.
> 
> Also if same security policies are adopted for
> IPTABLES and checkpoint, Is IPTABLES technically at
> par with commercial FIREWALLs?
> 
> Thanks
> 
> 
> 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com

netfilter is best suited for configurations in small to medium 
enteriprises IMHO (it is also an excellent host based firewall). 
Commerial firewalls have significant advantages...they come out of the 
box with top-notch gui management capabilities, fail-over, vpn and 
application-level services which support multiple authentication 
sources.  Some of this can be accomplished on a netfilter box, but not 
without significant effort to configure and maintain.

The greatest advantage netfilter has is that it runs on a Linux box 
which gives it a tremendous amount of flexibility.  You can do some 
things on a Linux box that you wouldn't dream of on a commercial 
firewall. Of course, some see this as a distinct disadvantage compared 
to an appliance;-)

Anymore, I'm having a tough time recommending a PC running Linux versus 
some of the entry level commercial firewalls, like a Pix, that can be 
had for under $1000, if for no other reason that it will be FAR less 
likely to have a hardware failure. If you're customers aren't 
satifisfied with your using netfilter on Linux, buy an inexpensive cisco 
Pix...I'm sure the name "Cisco" will impress them;-)

Goodluck,
Matt

Re: Is Linux IPTABLES firewall comparable with license Firewall

[Bent Mathiesen]

I would say that only one thing come in mind for commercial solutions:

I work in an enterprise business, there we use sunscreens, checkpoint version 
4-NG(FP3)+prover-1, Pix, ipchains, etc.

For checkpoint, it is the resent gui version, that enable to look into details 
of a larger rulesbase (N*100 customer base). However, I would say, that the 
quality/stability of the gui software itself is --- at the same level at it 
always have been....

The second, and most important, is options for HA (high awailabillity).


However, I do not think the quality of the software and hardware from 
top-vendors is that good. I can give plenty of examples of checkpoint 
software/fw problems and hardware failure of Cisco.

And we have used ipchains for years to protect Checkpoint boxes!!
(the hardware is old pc stuff and have been the most stable of it all).

(I would use iptables and PF more if possible - however, as an enterprise, you 
have to have the right names on the official papers).


The above is my personal observation and oppinions and not those of the 
company I work for.


Best regards

  Bent Mathiesen



On Monday 20 October 2003 02:36, Matt Hellman wrote:
> ads nat wrote:
> > Hi,
> > I don't know whether this is right list for my
> > question.
> >
> > I am facing basic problem while convincing to users. I
> > have implemented IPTABLES firewall on my Linux 8.0
> > server. I am frequently asked by users which
> > firewall/security measures are taken for my network.
> > My competitors use Checkpoint Firewall.
> > Can somebody guide me how to convince my users that
> > Linux IPTABLES Firewall is technically at par with
> > commercial Firewall such as checkpoint.
> >
> > Also if same security policies are adopted for
> > IPTABLES and checkpoint, Is IPTABLES technically at
> > par with commercial FIREWALLs?
> >
> > Thanks
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product search
> > http://shopping.yahoo.com
>
> netfilter is best suited for configurations in small to medium
> enteriprises IMHO (it is also an excellent host based firewall).
> Commerial firewalls have significant advantages...they come out of the
> box with top-notch gui management capabilities, fail-over, vpn and
> application-level services which support multiple authentication
> sources.  Some of this can be accomplished on a netfilter box, but not
> without significant effort to configure and maintain.
>
> The greatest advantage netfilter has is that it runs on a Linux box
> which gives it a tremendous amount of flexibility.  You can do some
> things on a Linux box that you wouldn't dream of on a commercial
> firewall. Of course, some see this as a distinct disadvantage compared
> to an appliance;-)
>
> Anymore, I'm having a tough time recommending a PC running Linux versus
> some of the entry level commercial firewalls, like a Pix, that can be
> had for under $1000, if for no other reason that it will be FAR less
> likely to have a hardware failure. If you're customers aren't
> satifisfied with your using netfilter on Linux, buy an inexpensive cisco
> Pix...I'm sure the name "Cisco" will impress them;-)
>
> Goodluck,
> Matt

-- 
Bent Mathiesen

bent@oriad.net

RE: Is Linux IPTABLES firewall comparable with license Firewall

[Daniel Chemko]

I am making the assumptions that you have someone on staff to take care of the firewall as much as it needs to be. Also, you should have internal security checking with IDS's and systems integrity checking with something like tripwire. The two systems should be more or less equalent in these terms.

Where you do see the difference is checkpoints more exotic firewall functions like authentication services and more importantly, they have a much more entrenched application layer support suite. We have to look externally to handle app protocols. For them, much of it is built in.

That is on the purely security standpoint. There are other advantages here and there between Comercial and netfilter firewalls. Personally, I find the difference in PRICE to be the most distinctive difference.