Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > iptables vs Cisco

Reply
Thread Tools

iptables vs Cisco

 
 
Man-wai Chang ToDie
Guest
Posts: n/a
 
      11-23-2007

If there is a hardware-based Linux iptables router, would it hurt
Cisco's business?

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
^ ^ 18:06:01 up 4 days 22:28 0 users load average: 1.06 1.04 1.00
news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
 
Reply With Quote
 
 
 
 
Doug McIntyre
Guest
Posts: n/a
 
      11-23-2007
Man-wai Chang ToDie <(E-Mail Removed)> writes:
>If there is a hardware-based Linux iptables router, would it hurt
>Cisco's business?


Isn't that called a Watchguard firewall?
(And numerous other lesser-known brands).

Alot of low-end boxes run embedded linux, and use iptables for their
firewall portion..
 
Reply With Quote
 
 
 
 
Man-wai Chang ToDie
Guest
Posts: n/a
 
      11-24-2007
> Isn't that called a Watchguard firewall?
> (And numerous other lesser-known brands).


Thanks

> Alot of low-end boxes run embedded linux, and use iptables for their
> firewall portion..


So feature-wise, is iptables comparable to Cisco's firewall?


--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
^ ^ 11:57:01 up 5 days 16:19 0 users load average: 1.01 1.04 1.01
news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      11-24-2007
Man-wai Chang ToDie wrote:

>> Isn't that called a Watchguard firewall?
>> (And numerous other lesser-known brands).

>
> Thanks
>
>> Alot of low-end boxes run embedded linux, and use iptables for their
>> firewall portion..

>
> So feature-wise, is iptables comparable to Cisco's firewall?


It depends what you mean by firewall. Do you literally mean, a set of ACLs?
If that's the case, then yes, they are broadly comparable. There's even a
bit of software than can produce Cisco ACLs, iptables rules and pf [BSD]
rules from the same rule set.

Or do you mean a piece of hardware with LAN and WAN interfaces that can
control access and provide VPN services etc? Linux can do a lot of what a
Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running
embedded Linux, with all you get from Cisco being a name and a set of
management tools.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
11:00:41 up 12 days, 23:39, 2 users, load average: 0.34, 0.30, 0.17
50,000 watts of funking power

 
Reply With Quote
 
Man-wai Chang ToDie
Guest
Posts: n/a
 
      11-24-2007
> Or do you mean a piece of hardware with LAN and WAN interfaces that can
> control access and provide VPN services etc? Linux can do a lot of what a
> Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running
> embedded Linux, with all you get from Cisco being a name and a set of
> management tools.


Shouldn't those virtual LAN stuff be separated into another switch? I
meant not overloading one device to do everything....

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
 
Reply With Quote
 
Man-wai Chang ToDie
Guest
Posts: n/a
 
      11-24-2007
> Shouldn't those virtual LAN stuff be separated into another switch? I
> meant not overloading one device to do everything....


Specialization also guarantees better security, I *suspect*....

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
 
Reply With Quote
 
Man-wai Chang ToDie
Guest
Posts: n/a
 
      11-24-2007
Man-wai Chang ToDie wrote:
>> Shouldn't those virtual LAN stuff be separated into another switch? I
>> meant not overloading one device to do everything....

>
> Specialization also guarantees better security, I *suspect*....
>


Just like politics, power are divided among people...

--
@~@ Might, Courage, Vision, SINCERITY.
/ v \ Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
^ ^ 20:13:01 up 6 days 35 min 0 users load average: 1.00 1.02 1.00
news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
 
Reply With Quote
 
Łukasz Bromirski
Guest
Posts: n/a
 
      11-24-2007
alexd wrote:

> Or do you mean a piece of hardware with LAN and WAN interfaces that can
> control access and provide VPN services etc? Linux can do a lot of what a
> Cisco firewall can do.


In most of the cases, iptables vs CBAC/zone-based firewall (because
there are actually two stateful firewalls in IOS already) are
comparable. The devil is in the details - IOS has a broad set of
application/protocol specific plugins - which identify protocols and
then allow to put some additional checks on the logic of the
transmission.

What's more important is the integration of other features with the
firewall - IPsec (with static and dynamic tunnels, and without tunnels
at all - GET) and SSL VPNs, VRFs, NBAR/FPM, CoPP, QoS, unicast &
multicast routing, voice technologies, IP SLA features, MPLS
capabilities, NetFlow, OER/PfR, IPS and load of other stuff. Depending
on the scenario you don't need all of this, or you need just a
selection of it, but at the end of the day - it's in single image,
ready to run from boot (IOS) vs configuring/installing (Linux box,
even if some custom distro). There a lot of people that will tell
first scenario is better, a lot of them that the second one is
better - a lot of it depends who's gonna run this and how much time
can be spent on actually keeping it running. But I understand the
question (iptables vs cisco) was purely academic one
('get me a list with checkboxes and i'll decide which one is the
better one').

> In fact I wouldn't be surprised if ASAs are running
> embedded Linux, with all you get from Cisco being a name and a set of
> management tools.


Actuall from 8.0 onwards, Cisco ASA runs Linux kernel, but it's
used only for starting up the box and doing some I/O work - ASA/PIX
specific code runs as a task and performs all the features of the box
by itself. So no shell, no iptables, no KDE

--
"Don't expect me to cry for all the | Łukasz Bromirski
reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net
 
Reply With Quote
 
Helge Olav Helgesen
Guest
Posts: n/a
 
      11-24-2007
Hello Man-wai Chang ToDie,

> If there is a hardware-based Linux iptables router, would it hurt
> Cisco's business?


Fortinet have some firewalls running Linux. All devices also have hardware
based acceleration. I am not sure if firewalling is hardware/ASIC or Linux.

---
Helge Olav Helgesen
http://www.helge.net



--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
Helge Olav Helgesen
Guest
Posts: n/a
 
      11-24-2007
Hello Man-wai Chang ToDie,

> So feature-wise, is iptables comparable to Cisco's firewall?


Linux iptables have lots of features and have extensive modules. You can
do a lots of cool stuff with it when you have learned the inner workings
of iptables.

The reason I do not use Linux is problems with unstable dynamic routing -
zebra. I hope those problems are fixed now. I had to switch a few years ago.
---
Helge Olav Helgesen
http://www.helge.net



--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Java bindings for IPTABLES Krashan Java 3 07-26-2005 05:39 PM
iptables NAT and SIP VoIP miozev@nexcom.bg VOIP 0 06-24-2005 08:16 PM
iptables-esque windows app? cacophony Computer Security 0 11-30-2004 03:27 AM
Connecting Cisco VPN Client through iptables Lars Bebensee Cisco 0 02-12-2004 01:01 AM
Get original destination IP and port with Linux 2.4 iptables redirect? Lincoln Yeoh Perl 1 11-12-2003 04:49 PM



Advertisments