iptables vs Cisco

Discussion in 'Cisco' started by Man-wai Chang ToDie, Nov 23, 2007.

  1. If there is a hardware-based Linux iptables router, would it hurt
    Cisco's business?

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 18:06:01 up 4 days 22:28 0 users load average: 1.06 1.04 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Man-wai Chang ToDie, Nov 23, 2007
    #1
    1. Advertising

  2. Man-wai Chang ToDie <> writes:
    >If there is a hardware-based Linux iptables router, would it hurt
    >Cisco's business?


    Isn't that called a Watchguard firewall?
    (And numerous other lesser-known brands).

    Alot of low-end boxes run embedded linux, and use iptables for their
    firewall portion..
    Doug McIntyre, Nov 23, 2007
    #2
    1. Advertising

  3. > Isn't that called a Watchguard firewall?
    > (And numerous other lesser-known brands).


    Thanks

    > Alot of low-end boxes run embedded linux, and use iptables for their
    > firewall portion..


    So feature-wise, is iptables comparable to Cisco's firewall?


    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 11:57:01 up 5 days 16:19 0 users load average: 1.01 1.04 1.01
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Man-wai Chang ToDie, Nov 24, 2007
    #3
  4. Man-wai Chang ToDie

    alexd Guest

    Man-wai Chang ToDie wrote:

    >> Isn't that called a Watchguard firewall?
    >> (And numerous other lesser-known brands).

    >
    > Thanks
    >
    >> Alot of low-end boxes run embedded linux, and use iptables for their
    >> firewall portion..

    >
    > So feature-wise, is iptables comparable to Cisco's firewall?


    It depends what you mean by firewall. Do you literally mean, a set of ACLs?
    If that's the case, then yes, they are broadly comparable. There's even a
    bit of software than can produce Cisco ACLs, iptables rules and pf [BSD]
    rules from the same rule set.

    Or do you mean a piece of hardware with LAN and WAN interfaces that can
    control access and provide VPN services etc? Linux can do a lot of what a
    Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running
    embedded Linux, with all you get from Cisco being a name and a set of
    management tools.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    11:00:41 up 12 days, 23:39, 2 users, load average: 0.34, 0.30, 0.17
    50,000 watts of funking power
    alexd, Nov 24, 2007
    #4
  5. > Or do you mean a piece of hardware with LAN and WAN interfaces that can
    > control access and provide VPN services etc? Linux can do a lot of what a
    > Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running
    > embedded Linux, with all you get from Cisco being a name and a set of
    > management tools.


    Shouldn't those virtual LAN stuff be separated into another switch? I
    meant not overloading one device to do everything....

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Man-wai Chang ToDie, Nov 24, 2007
    #5
  6. > Shouldn't those virtual LAN stuff be separated into another switch? I
    > meant not overloading one device to do everything....


    Specialization also guarantees better security, I *suspect*....

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Man-wai Chang ToDie, Nov 24, 2007
    #6
  7. Man-wai Chang ToDie wrote:
    >> Shouldn't those virtual LAN stuff be separated into another switch? I
    >> meant not overloading one device to do everything....

    >
    > Specialization also guarantees better security, I *suspect*....
    >


    Just like politics, power are divided among people...

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:13:01 up 6 days 35 min 0 users load average: 1.00 1.02 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Man-wai Chang ToDie, Nov 24, 2007
    #7
  8. alexd wrote:

    > Or do you mean a piece of hardware with LAN and WAN interfaces that can
    > control access and provide VPN services etc? Linux can do a lot of what a
    > Cisco firewall can do.


    In most of the cases, iptables vs CBAC/zone-based firewall (because
    there are actually two stateful firewalls in IOS already) are
    comparable. The devil is in the details - IOS has a broad set of
    application/protocol specific plugins - which identify protocols and
    then allow to put some additional checks on the logic of the
    transmission.

    What's more important is the integration of other features with the
    firewall - IPsec (with static and dynamic tunnels, and without tunnels
    at all - GET) and SSL VPNs, VRFs, NBAR/FPM, CoPP, QoS, unicast &
    multicast routing, voice technologies, IP SLA features, MPLS
    capabilities, NetFlow, OER/PfR, IPS and load of other stuff. Depending
    on the scenario you don't need all of this, or you need just a
    selection of it, but at the end of the day - it's in single image,
    ready to run from boot (IOS) vs configuring/installing (Linux box,
    even if some custom distro). There a lot of people that will tell
    first scenario is better, a lot of them that the second one is
    better - a lot of it depends who's gonna run this and how much time
    can be spent on actually keeping it running. But I understand the
    question (iptables vs cisco) was purely academic one
    ('get me a list with checkboxes and i'll decide which one is the
    better one').

    > In fact I wouldn't be surprised if ASAs are running
    > embedded Linux, with all you get from Cisco being a name and a set of
    > management tools.


    Actuall from 8.0 onwards, Cisco ASA runs Linux kernel, but it's
    used only for starting up the box and doing some I/O work - ASA/PIX
    specific code runs as a task and performs all the features of the box
    by itself. So no shell, no iptables, no KDE :)

    --
    "Don't expect me to cry for all the | £ukasz Bromirski
    reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net
    £ukasz Bromirski, Nov 24, 2007
    #8
  9. Hello Man-wai Chang ToDie,

    > If there is a hardware-based Linux iptables router, would it hurt
    > Cisco's business?


    Fortinet have some firewalls running Linux. All devices also have hardware
    based acceleration. I am not sure if firewalling is hardware/ASIC or Linux.

    ---
    Helge Olav Helgesen
    http://www.helge.net



    --
    Posted via a free Usenet account from http://www.teranews.com
    Helge Olav Helgesen, Nov 24, 2007
    #9
  10. Hello Man-wai Chang ToDie,

    > So feature-wise, is iptables comparable to Cisco's firewall?


    Linux iptables have lots of features and have extensive modules. You can
    do a lots of cool stuff with it when you have learned the inner workings
    of iptables.

    The reason I do not use Linux is problems with unstable dynamic routing -
    zebra. I hope those problems are fixed now. I had to switch a few years ago.
    ---
    Helge Olav Helgesen
    http://www.helge.net



    --
    Posted via a free Usenet account from http://www.teranews.com
    Helge Olav Helgesen, Nov 24, 2007
    #10
  11. > Linux iptables have lots of features and have extensive modules. You can
    > do a lots of cool stuff with it when you have learned the inner workings
    > of iptables.
    >


    With the arrival of solid-state harddisk, the days of multi-purporse
    hardware iptables/linux would soon come...

    --
    @~@ Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 18:23:01 up 6 days 22:45 0 users load average: 1.03 1.05 1.05
    ?? (CSSA):
    http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa/
    Man-wai Chang ToDie, Nov 25, 2007
    #11
  12. Man-wai Chang ToDie

    io Guest

    Helge Olav Helgesen wrote:

    > Hello Man-wai Chang ToDie,
    >
    >> So feature-wise, is iptables comparable to Cisco's firewall?

    >
    > Linux iptables have lots of features and have extensive modules. You can
    > do a lots of cool stuff with it when you have learned the inner workings
    > of iptables.
    >
    > The reason I do not use Linux is problems with unstable dynamic routing -
    > zebra. I hope those problems are fixed now. I had to switch a few years
    > ago. ---


    Zebra is stalled since some years. The preferred routing software is now
    quagga.
    io, Nov 25, 2007
    #12
  13. Hello io,

    > Zebra is stalled since some years. The preferred routing software is
    > now quagga.


    I know. At that time quagga was just starting to get out. But I was forced
    to switch solution after a long period of time whis stability problems.
    ---
    Helge Olav Helgesen
    http://www.helge.net



    --
    Posted via a free Usenet account from http://www.teranews.com
    Helge Olav Helgesen, Nov 25, 2007
    #13
  14. Man-wai Chang ToDie

    Scott Perry Guest

    Cisco has not been threatened by IPtables on Linux.

    Cisco PIX/ASA Firewall - stateful packet inspection, has a
    permit/deny based access-list
    Cisco IOS Router - no stateful packet inspection, has a permit/deny
    based access-list
    IPtables - packet inspection is unknown, has a permit/deny based
    access-list

    IPchains has been around for a while and IPtables is still around. Both are
    SOFTWARE based and will not be as reliable in corporate environments which
    depend on stability. Cisco IOS routers with access-lists and Cisco PIX/ASA
    firewalls are not only HARDWARE based and more simple in their primary
    function, but they also offer more hardware options.

    * A Linux system with IPtables will not be able to easily put an
    access-list on a connection to a T-1 line because Linux runs on PCs and PCs
    do not commonly have T-1 CSU/DSUs. Cisco routers do have other interface
    types.
    * A Linux system with IPtables can permit and deny network traffic on an
    Internet facing ethernet interface but additional software packages would
    have to be added to host VPN connections, remote firewall management, and
    other built-in Cisco device features. Cisco devices, especially firewalls,
    have many other features built-in.
    * A Linux system with IPtables, being an open-source distribution product,
    does not have the industry backing of a corporate product. For this reason,
    many companies shy away from freeware open-source solutions when reliability
    and accountability are factors in maintaining services. Cost savings means
    little when an outage can rake up hundreds of thousands of dollars in
    company loss in just a few hours.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    "Man-wai Chang ToDie" <> wrote in message
    news:4746a649$-cable.com...
    >
    > If there is a hardware-based Linux iptables router, would it hurt
    > Cisco's business?
    >
    > --
    > @~@ Might, Courage, Vision, SINCERITY.
    > / v \ Simplicity is Beauty! May the Force and Farce be with you!
    > /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    > ^ ^ 18:06:01 up 4 days 22:28 0 users load average: 1.06 1.04 1.00
    > news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
    Scott Perry, Nov 26, 2007
    #14
  15. Scott Perry wrote:
    > Cisco has not been threatened by IPtables on Linux.
    >
    > Cisco PIX/ASA Firewall - stateful packet inspection, has a
    > permit/deny based access-list
    > Cisco IOS Router - no stateful packet inspection, has a permit/deny
    > based access-list
    > IPtables - packet inspection is unknown, has a permit/deny based
    > access-list
    >
    > IPchains has been around for a while and IPtables is still around. Both are
    > SOFTWARE based and will not be as reliable in corporate environments which
    > depend on stability. Cisco IOS routers with access-lists and Cisco PIX/ASA
    > firewalls are not only HARDWARE based and more simple in their primary
    > function, but they also offer more hardware options.
    >
    > * A Linux system with IPtables will not be able to easily put an
    > access-list on a connection to a T-1 line because Linux runs on PCs and PCs
    > do not commonly have T-1 CSU/DSUs. Cisco routers do have other interface
    > types.
    > * A Linux system with IPtables can permit and deny network traffic on an
    > Internet facing ethernet interface but additional software packages would
    > have to be added to host VPN connections, remote firewall management, and
    > other built-in Cisco device features. Cisco devices, especially firewalls,
    > have many other features built-in.
    > * A Linux system with IPtables, being an open-source distribution product,
    > does not have the industry backing of a corporate product. For this reason,
    > many companies shy away from freeware open-source solutions when reliability
    > and accountability are factors in maintaining services. Cost savings means
    > little when an outage can rake up hundreds of thousands of dollars in
    > company loss in just a few hours.
    >


    Not to needle you on your last point, but given Cisco's latest website
    boner, I had to chuckle at the point of pushing a commercial option vs.
    opensource. Your point is taken, just had to chuckle given the
    situation. :)
    fugettaboutit, Nov 26, 2007
    #15
  16. "Scott Perry" <scottperry@aciscocompany> writes:
    >Cisco has not been threatened by IPtables on Linux.


    >Cisco PIX/ASA Firewall - stateful packet inspection, has a
    >permit/deny based access-list
    >Cisco IOS Router - no stateful packet inspection, has a permit/deny
    >based access-list

    ....

    No longer true as of about 5 years ago.. CBAC/IP Firewall/Zone config
    is stateful packet inspection...


    > * A Linux system with IPtables will not be able to easily put an
    >access-list on a connection to a T-1 line because Linux runs on PCs and PCs
    >do not commonly have T-1 CSU/DSUs. Cisco routers do have other interface
    >types.


    I like my T1 customers with linux routers, they think its a good idea
    until, oh S***, my hard drive blew on my router. We'll be down for
    half a day rebuilding it. They soon ask and implement dedicated router
    hardware after that..
    Doug McIntyre, Nov 26, 2007
    #16
  17. Hello Doug,

    > I like my T1 customers with linux routers, they think its a good idea
    > until, oh S***, my hard drive blew on my router. We'll be down for
    > half a day rebuilding it. They soon ask and implement dedicated router
    > hardware after that..


    That can be planned for.

    Dedicated router hardware can fail as well.

    What you need is a good contingency plan. And you should have one whatever
    solution you go for!
    ---
    Helge Olav Helgesen
    http://www.helge.net



    --
    Posted via a free Usenet account from http://www.teranews.com
    Helge Olav Helgesen, Nov 26, 2007
    #17
  18. Man-wai Chang ToDie

    sali Guest

    just to ask
    iptables, is it comparable to ipcop [as an alternative to cisco]?
    [also on linux andf also router/firewall]

    we have cisco on our vpn corporate network over internet, but an outer
    supplier is trying to migrate us onto ipcop

    thnx!

    "Helge Olav Helgesen" <> wrote in message
    news:...
    > Hello Man-wai Chang ToDie,
    >
    >> So feature-wise, is iptables comparable to Cisco's firewall?

    >
    > Linux iptables have lots of features and have extensive modules. You can
    > do a lots of cool stuff with it when you have learned the inner workings
    > of iptables.
    >
    sali, Nov 27, 2007
    #18
  19. Man-wai Chang ToDie

    alexd Guest

    sali wrote:

    > just to ask
    > iptables, is it comparable to ipcop [as an alternative to cisco]?
    > [also on linux andf also router/firewall]


    IPcop uses iptables.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    08:48:13 up 15 days, 21:27, 2 users, load average: 0.22, 0.19, 0.14
    Convergence, n: The act of using separate DSL circuits for voice and data
    alexd, Nov 27, 2007
    #19
  20. Man-wai Chang ToDie

    Scott Perry Guest

    "fugettaboutit" <> wrote in message
    news:BKF2j.14324$Mg1.5788@trndny03...
    > Not to needle you on your last point, but given Cisco's latest website
    > boner, I had to chuckle at the point of pushing a commercial option vs.
    > opensource. Your point is taken, just had to chuckle given the situation.
    > :)


    I agree!

    A Cisco sales representative and system engineer were out 2 days ago and
    they could not explain the outage. From what I saw, it affected the CCO
    login side of the website. The public side seemed fine.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
    Scott Perry, Nov 29, 2007
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bebensee
    Replies:
    0
    Views:
    984
    Lars Bebensee
    Feb 12, 2004
  2. Rene Kuhn
    Replies:
    0
    Views:
    875
    Rene Kuhn
    Dec 28, 2005
  3. Replies:
    0
    Views:
    6,115
  4. Replies:
    1
    Views:
    1,119
    www.BradReese.Com
    Jun 18, 2006
  5. cacophony

    iptables-esque windows app?

    cacophony, Nov 30, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    2,302
    cacophony
    Nov 30, 2004
Loading...

Share This Page