iptables vs Cisco

Discussion in 'Cisco' started by Man-wai Chang ToDie, Nov 23, 2007.

  1. If there is a hardware-based Linux iptables router, would it hurt
    Cisco's business?

    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 18:06:01 up 4 days 22:28 0 users load average: 1.06 1.04 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
     
    Man-wai Chang ToDie, Nov 23, 2007
    #1
    1. Advertisements

  2. Isn't that called a Watchguard firewall?
    (And numerous other lesser-known brands).

    Alot of low-end boxes run embedded linux, and use iptables for their
    firewall portion..
     
    Doug McIntyre, Nov 23, 2007
    #2
    1. Advertisements

  3. Isn't that called a Watchguard firewall?
    So feature-wise, is iptables comparable to Cisco's firewall?


    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 11:57:01 up 5 days 16:19 0 users load average: 1.01 1.04 1.01
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
     
    Man-wai Chang ToDie, Nov 24, 2007
    #3
  4. Man-wai Chang ToDie

    alexd Guest

    It depends what you mean by firewall. Do you literally mean, a set of ACLs?
    If that's the case, then yes, they are broadly comparable. There's even a
    bit of software than can produce Cisco ACLs, iptables rules and pf [BSD]
    rules from the same rule set.

    Or do you mean a piece of hardware with LAN and WAN interfaces that can
    control access and provide VPN services etc? Linux can do a lot of what a
    Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running
    embedded Linux, with all you get from Cisco being a name and a set of
    management tools.
     
    alexd, Nov 24, 2007
    #4
  5. Or do you mean a piece of hardware with LAN and WAN interfaces that can
    Shouldn't those virtual LAN stuff be separated into another switch? I
    meant not overloading one device to do everything....

    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
     
    Man-wai Chang ToDie, Nov 24, 2007
    #5
  6. Shouldn't those virtual LAN stuff be separated into another switch? I
    Specialization also guarantees better security, I *suspect*....

    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:12:01 up 6 days 34 min 0 users load average: 1.02 1.03 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
     
    Man-wai Chang ToDie, Nov 24, 2007
    #6
  7. Just like politics, power are divided among people...

    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 20:13:01 up 6 days 35 min 0 users load average: 1.00 1.02 1.00
    news://news.3home.net news://news.hkpcug.org news://news.newsgroup.com.hk
     
    Man-wai Chang ToDie, Nov 24, 2007
    #7
  8. In most of the cases, iptables vs CBAC/zone-based firewall (because
    there are actually two stateful firewalls in IOS already) are
    comparable. The devil is in the details - IOS has a broad set of
    application/protocol specific plugins - which identify protocols and
    then allow to put some additional checks on the logic of the
    transmission.

    What's more important is the integration of other features with the
    firewall - IPsec (with static and dynamic tunnels, and without tunnels
    at all - GET) and SSL VPNs, VRFs, NBAR/FPM, CoPP, QoS, unicast &
    multicast routing, voice technologies, IP SLA features, MPLS
    capabilities, NetFlow, OER/PfR, IPS and load of other stuff. Depending
    on the scenario you don't need all of this, or you need just a
    selection of it, but at the end of the day - it's in single image,
    ready to run from boot (IOS) vs configuring/installing (Linux box,
    even if some custom distro). There a lot of people that will tell
    first scenario is better, a lot of them that the second one is
    better - a lot of it depends who's gonna run this and how much time
    can be spent on actually keeping it running. But I understand the
    question (iptables vs cisco) was purely academic one
    ('get me a list with checkboxes and i'll decide which one is the
    better one').
    Actuall from 8.0 onwards, Cisco ASA runs Linux kernel, but it's
    used only for starting up the box and doing some I/O work - ASA/PIX
    specific code runs as a task and performs all the features of the box
    by itself. So no shell, no iptables, no KDE :)
     
    £ukasz Bromirski, Nov 24, 2007
    #8
  9. Hello Man-wai Chang ToDie,
    Fortinet have some firewalls running Linux. All devices also have hardware
    based acceleration. I am not sure if firewalling is hardware/ASIC or Linux.
     
    Helge Olav Helgesen, Nov 24, 2007
    #9
  10. Hello Man-wai Chang ToDie,
    Linux iptables have lots of features and have extensive modules. You can
    do a lots of cool stuff with it when you have learned the inner workings
    of iptables.

    The reason I do not use Linux is problems with unstable dynamic routing -
    zebra. I hope those problems are fixed now. I had to switch a few years ago.
     
    Helge Olav Helgesen, Nov 24, 2007
    #10
  11. Linux iptables have lots of features and have extensive modules. You can
    With the arrival of solid-state harddisk, the days of multi-purporse
    hardware iptables/linux would soon come...

    --
    @[email protected] Might, Courage, Vision, SINCERITY.
    / v \ Simplicity is Beauty! May the Force and Farce be with you!
    /( _ )\ (Xubuntu 7.04) Linux 2.6.23.8
    ^ ^ 18:23:01 up 6 days 22:45 0 users load average: 1.03 1.05 1.05
    ?? (CSSA):
    http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa/
     
    Man-wai Chang ToDie, Nov 25, 2007
    #11
  12. Man-wai Chang ToDie

    io Guest

    Zebra is stalled since some years. The preferred routing software is now
    quagga.
     
    io, Nov 25, 2007
    #12
  13. Hello io,
    I know. At that time quagga was just starting to get out. But I was forced
    to switch solution after a long period of time whis stability problems.
     
    Helge Olav Helgesen, Nov 25, 2007
    #13
  14. Man-wai Chang ToDie

    Scott Perry Guest

    Cisco has not been threatened by IPtables on Linux.

    Cisco PIX/ASA Firewall - stateful packet inspection, has a
    permit/deny based access-list
    Cisco IOS Router - no stateful packet inspection, has a permit/deny
    based access-list
    IPtables - packet inspection is unknown, has a permit/deny based
    access-list

    IPchains has been around for a while and IPtables is still around. Both are
    SOFTWARE based and will not be as reliable in corporate environments which
    depend on stability. Cisco IOS routers with access-lists and Cisco PIX/ASA
    firewalls are not only HARDWARE based and more simple in their primary
    function, but they also offer more hardware options.

    * A Linux system with IPtables will not be able to easily put an
    access-list on a connection to a T-1 line because Linux runs on PCs and PCs
    do not commonly have T-1 CSU/DSUs. Cisco routers do have other interface
    types.
    * A Linux system with IPtables can permit and deny network traffic on an
    Internet facing ethernet interface but additional software packages would
    have to be added to host VPN connections, remote firewall management, and
    other built-in Cisco device features. Cisco devices, especially firewalls,
    have many other features built-in.
    * A Linux system with IPtables, being an open-source distribution product,
    does not have the industry backing of a corporate product. For this reason,
    many companies shy away from freeware open-source solutions when reliability
    and accountability are factors in maintaining services. Cost savings means
    little when an outage can rake up hundreds of thousands of dollars in
    company loss in just a few hours.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Nov 26, 2007
    #14
  15. Not to needle you on your last point, but given Cisco's latest website
    boner, I had to chuckle at the point of pushing a commercial option vs.
    opensource. Your point is taken, just had to chuckle given the
    situation. :)
     
    fugettaboutit, Nov 26, 2007
    #15
  16. ....

    No longer true as of about 5 years ago.. CBAC/IP Firewall/Zone config
    is stateful packet inspection...

    I like my T1 customers with linux routers, they think its a good idea
    until, oh S***, my hard drive blew on my router. We'll be down for
    half a day rebuilding it. They soon ask and implement dedicated router
    hardware after that..
     
    Doug McIntyre, Nov 26, 2007
    #16
  17. Hello Doug,
    That can be planned for.

    Dedicated router hardware can fail as well.

    What you need is a good contingency plan. And you should have one whatever
    solution you go for!
     
    Helge Olav Helgesen, Nov 26, 2007
    #17
  18. Man-wai Chang ToDie

    sali Guest

    just to ask
    iptables, is it comparable to ipcop [as an alternative to cisco]?
    [also on linux andf also router/firewall]

    we have cisco on our vpn corporate network over internet, but an outer
    supplier is trying to migrate us onto ipcop

    thnx!
     
    sali, Nov 27, 2007
    #18
  19. Man-wai Chang ToDie

    alexd Guest

    IPcop uses iptables.
     
    alexd, Nov 27, 2007
    #19
  20. Man-wai Chang ToDie

    Scott Perry Guest

    I agree!

    A Cisco sales representative and system engineer were out 2 days ago and
    they could not explain the outage. From what I saw, it affected the CCO
    login side of the website. The public side seemed fine.

    --

    ===========
    Scott Perry
    ===========
    Indianapolis, Indiana
    ________________________________________
     
    Scott Perry, Nov 29, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.