Soldato
- Joined
- 29 Dec 2009
- Posts
- 7,290
Do you have a hardware firewall, what do you use it for generally?
Why would YOU use a hardware firewall?
- Thread starter On Holiday
- Start date
Soldato
- Joined
- 20 Oct 2008
- Posts
- 12,082
What do you consider to be a 'hardware firewall'?
- Joined
- 29 Dec 2009
- Posts
- 7,290
Cisco ASA, Sonicwall, Netscreen etc.
Yes I use one, it is built into my MikroTik, not technically a "hardware" box in the sense I think you are asking OP as I think you are asking does anyone use a "dedicated" firewall box.
I use mine for basic duties however will implement an additional software firewall on my soon to be MikroTik RB2011 set as a WAP so I can create a guest wireless network so it can only run port 80,443 and DNS (forgot number)
I use mine for basic duties however will implement an additional software firewall on my soon to be MikroTik RB2011 set as a WAP so I can create a guest wireless network so it can only run port 80,443 and DNS (forgot number)
Associate
- Joined
- 27 Oct 2008
- Posts
- 1,938
- Location
- Gloucester
I was playing with a virtual Sophos UTM fro a bit, but got bored with it.
Even the non-dedicated stuff still does most (all) of what any dedicated solution would do, the main limitation/feature set is in the Network OS itself.
E.g Vyatta, Cisco ASA etc etc
Dedicated units generally offer better performance, availability, scalability and all those other yummy enterprise headliners but they are largely for the enterprise world or large mixed environments.
The feature sets and performance of even cheap consumer grade gear these days is above and beyond the needs of most, even business grade connectivity. For example my £80 EdgeOS Ubuiquti unit will handle near wirespeed 1Gbit throughput with firewall and NAT.
Because they are generally appliances for that reason, better performance, dedicated to that role only, and not sat on top of another OS, they have OS dedicated to the job.
They are based on an OS, IE Cisco ASA is based on the Cisco IOS, SonicWall SonicOS, netscreen OS
Checkpoint is based on a linux OS.
But its dedicated, and its better than having a server sat there/racked up doing the work, better performance, lower power draw than a full powered server doing the job.
Some people virtualise firewalls and load balancers, although this is dependant on if the vendor has a selected virtual edition release. But in most cases in terms of firewalls, hardware is better.
I dont recall us using hardly any virtual edition firewalls, hardware usually, but we do have a mixture of hardware and virtualised load balancers (F5 for instance) for our customers
Last edited:
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
Checkpoints are also not "based on Linux". The CP software blades are largely written in C and can run on Linux, Solaris, Windows, IPSO etc.
- GP
- GP
Last edited:
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
Is this some sort of homework question ?
- Joined
- 29 Dec 2009
- Posts
- 7,290
A lot of the same structure though only customise to the function of the box
Pixes are horrendous things, they stepped up with the asa's
What I was trying to point out, its better to have a dedicated hardware or virtualised appliance running what you need rather than software on top of base os
I have no doubt checkpoint sits on other platforms but its bare metal stuff sits on Linux based platforms, freeBSD, gentoo for a few examples
Last edited:
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
The underlying engines are different. Completely infact than to IOS. Different in the same sort of way as NX-OS or IOS-XE to IOS. Hell, even the WLC or WAE CLI interfaces look similar, they are totally different beasts too. The wrapper may look similar, but they are totally different.
EDIT: PIX-OS was an evolution of FinesseOS, the ASA of Linux
I understand what you're trying to say and thought process but that's not necessarily true. Checkpoint (as an example) actually inserts itself between the NIC and the OS upon installation. The fact that it has an underlying OS that allows functionality isn't compromised by the OS it's on (in theory). For examples like an ASA the situation here is literally no different, it's just all bundled up in to on "image" with the OS. The process is still the same.
EDIT: I think BRS (If he is even still around) could correct me if wrong, but JunOS as an example can be installed directly in to BSD too. Another example of separation between application and OS
GAiA and SPLAT are independent of Checkpoint software. It sits on them, but CheckPoint software itself is not Linux. IPSO on the Nokias was regularly deployed just as routers back in the day, and that (before SPLAT) was the previous main underlying OS. They are not the same - CheckPoint is no more 'Linux' than VLC is 'Windows' just because it's installed on it
Edit: Have you passed that exam yet from the other thread in the Servers Sub? If so how did it go?
- GP
Last edited:
In a similar vein, although maybe not for this thread but what the hell.
What do people prefer with their IPS if they are using them (talking more in a corp env than home), bundled in with your firewall or dedicated appliance, be it hardware or virtualised?
What do people prefer with their IPS if they are using them (talking more in a corp env than home), bundled in with your firewall or dedicated appliance, be it hardware or virtualised?
Soldato
- Joined
- 30 Dec 2004
- Posts
- 4,681
- Location
- Bromley, Kent
The Checkpoint IPS is very good but intensive. For a dedicated appliance I;m currently looking at Juniper/HP
- GP
- GP