Mailing List Archive

On Sat, 4 Aug 2001, Rick Lapp wrote:

> Will the 350Mhz / 64Mb Linux box running two 10/100 NICs be faster or
> more secure than the Linksys router? We typically run 3 to 5
> workstations with a fair amount of gaming and MP3 downloading.

It probably won't be visibly faster or slower. How secure it is depends on
your proficiency in generating an iptables rules set and in securing the
daemons that are exposed to the outside.

The main advantage will be the flexibility of using a general purpose
operating system as opposed to a single-purpose embedded device. This may
or may not be useful to you.

The main disadvantage will be in the setup. The linksys router that you
have probably has an easy-to-use web interface. Your linux machine
probably doesn't have such an interface. Also, people don't often reboot
linksys routers to install new kernels either :)

Scottie Shore <sshore@escape.ca>
"Experience is that marvelous thing that enables you to recognize
a mistake when you make it again." -- F. P. Jones

I can only address the SMC Barricade, a similar device. Firmware
upgrades are available, and sometimes those really improve the device
functionality. Check the website from time to time; you'll probably find
both upgrades and instructions on how to apply the firmware upgrade.
HTH.

Carl Friedberg
carl@comets.com

>The main disadvantage will be in the setup.
>The linksys router that you
>have probably has an easy-to-use web interface.
> Your linux machine probably doesn't have such
> an interface. Also, people don't often reboot
>linksys routers to install new kernels either :)

Rick, buddy ole pal...if I had the money, I'd go with a seperate router and
firewall solution...

Linksys routers are nice...I've witnessed a few things that make me raise my
eyebrow concerning their combos, including the recent security issue with
them sending password cleartext over the wire
(http://hypoclear.cjb.net/hypo_linksys_advisory.txt)

Anyway...it's kinda like buying a stereo system. Generally, you'd want to
buy the components seperately. You get the best quality that way, compared
to buying that Pioneer rig at Wal-Mart that has the DVD/CD/AM-FM/Speakers
All-In-One package all built in...if you're a serious audiophile, you'd go
to a nice custom rig shop and do it the professional way, right?

In my opinion, buying "combo" routers/firewalls are the same way...

Here's an example. Since I happen to break into machines for a living at my
place of employment, I've witnessed tales of being able to send 2K byte
pings through a "combo" firewall/router when that router (supposedly) was
explicitly denying all ICMP traffic. Come to find out, we were able to set
off Black Ice, which happened to be running on a workstation behind that
"combo" firewall/router. If it had done its job, (OR, if it had been a nice
Cisco, supplemented with a nice firewall) those ICMP packets would've never
came through--hence, Ice would've never been set off...

My point? IF (and that's always a big IF) you have the dough to spare, and
you're as paranoid and silly as me, then buy a small Cisco (or comparable
router) and a small firewall, and do it that way.

Of course, money is almost always a concern, unless you're Bill Gates or the
late Sam Walton...=)

My $0.05...=P
--
/*
* Woody Hughes, MCP
* Systems Engineer
* Lyris Technologies
* ---------------------------
* woody@thewoodman.org
* http://www.thewoodman.org
*/
----- Original Message -----
From: "Rick Lapp" <rlapp@erols.com>
To: <netfilter@lists.samba.org>
Sent: Saturday, August 04, 2001 5:03 AM
Subject: Linux vs Linksys router decision?


> For several years, we've run our home network on Linux/RH 5.x, 6.x and
> currently 7.1. It has served as a reliable web, print, and file server to
a
> dial-up ISP. Recently we switched to a cable provider and at the same
time
> picked up a very inexpensive Linksys router which is currently serving as
> our firewall rather than using Linux with internal and external NICs. My
> question is now whether or not to remove the router and let Linux do the
> routing and firewall tasks with iptables. Will the 350Mhz / 64Mb Linux
box
> running two 10/100 NICs be faster or more secure than the Linksys router?
> We typically run 3 to 5 workstations with a fair amount of gaming and MP3
> downloading.
> Rick
> rlapp@erols.com
>
>
>

On the other hand you are limited to the burned in capabilities of that
router/firewall you purchased. Personally I strongly recommend a linux
box for this (or *bsd) because you can change your capabilities very
quickly without relying on a vendor's promised patch. I also find the
*nix box to be much more highly configurable and extensible.

One can't load Hogwash on a Linksys router/firewall. Separate systems
have a weighted value. Sometimes it makes more sense all around to put
your routing and filtering in one box. I'm very very paranoid about my
network and I am a redteam member by profession as well. I find more
value in a software based firewall/router due to it's adaptability to
the client's needs.

Since the costs involved often tend to be much lower for the *nix
solution, that is an additional benefit.

As an aside, the Linksys router has (patches available) a few
vulnerabilities in it that allow bad traffic in and are susceptible to
DoS attacks requiring manual power cycling.

David
p.s. your custom rig example below actually resembles a home built linux
router/firewall system more than you'd like I think ;)

Woody Hughes wrote:

>Rick, buddy ole pal...if I had the money, I'd go with a seperate router and
>firewall solution...
>
>Linksys routers are nice...I've witnessed a few things that make me raise my
>eyebrow concerning their combos, including the recent security issue with
>them sending password cleartext over the wire
>(http://hypoclear.cjb.net/hypo_linksys_advisory.txt)
>
>Anyway...it's kinda like buying a stereo system. Generally, you'd want to
>buy the components seperately. You get the best quality that way, compared
>to buying that Pioneer rig at Wal-Mart that has the DVD/CD/AM-FM/Speakers
>All-In-One package all built in...if you're a serious audiophile, you'd go
>to a nice custom rig shop and do it the professional way, right?
>
>In my opinion, buying "combo" routers/firewalls are the same way...
>
>Here's an example. Since I happen to break into machines for a living at my
>place of employment, I've witnessed tales of being able to send 2K byte
>pings through a "combo" firewall/router when that router (supposedly) was
>explicitly denying all ICMP traffic. Come to find out, we were able to set
>off Black Ice, which happened to be running on a workstation behind that
>"combo" firewall/router. If it had done its job, (OR, if it had been a nice
>Cisco, supplemented with a nice firewall) those ICMP packets would've never
>came through--hence, Ice would've never been set off...
>
>My point? IF (and that's always a big IF) you have the dough to spare, and
>you're as paranoid and silly as me, then buy a small Cisco (or comparable
>router) and a small firewall, and do it that way.
>
>Of course, money is almost always a concern, unless you're Bill Gates or the
>late Sam Walton...=)
>
>My $0.05...=P
>--
>/*
> * Woody Hughes, MCP
> * Systems Engineer
> * Lyris Technologies
> * ---------------------------
> * woody@thewoodman.org
> * http://www.thewoodman.org
> */
>----- Original Message -----
>From: "Rick Lapp" <rlapp@erols.com>
>To: <netfilter@lists.samba.org>
>Sent: Saturday, August 04, 2001 5:03 AM
>Subject: Linux vs Linksys router decision?
>
>
>>For several years, we've run our home network on Linux/RH 5.x, 6.x and
>>currently 7.1. It has served as a reliable web, print, and file server to
>>
>a
>
>>dial-up ISP. Recently we switched to a cable provider and at the same
>>
>time
>
>>picked up a very inexpensive Linksys router which is currently serving as
>>our firewall rather than using Linux with internal and external NICs. My
>>question is now whether or not to remove the router and let Linux do the
>>routing and firewall tasks with iptables. Will the 350Mhz / 64Mb Linux
>>
>box
>
>>running two 10/100 NICs be faster or more secure than the Linksys router?
>>We typically run 3 to 5 workstations with a fair amount of gaming and MP3
>>downloading.
>>Rick
>>rlapp@erols.com
>>
>>
>>