Wiley Siler
2005-Aug-15 13:21 UTC
[Asterisk-Users] Firewall will definatelyincrease jittersinyourvoice conversation
Typically a "hardware" firewall is specialized and uses ASICs. Because the solution utilizes specialized chips tailored to the task, this is considered a hardware based solution. Of course software is involved but it too is specialized and is even proprietary in nature. A "software" firewall, be it BlackICE or even a Linux on PC uses no specialized hardware. Thus the "software" designation. It runs on pretty much any x86 hardware (Linux at least) and is not proprietary in nature. That is the general meaning when people say hardware or software firewall. Sure, both technically use some form of hardware and software. But the specialization of that hardware is what makes it designated as hardware based or software based. There have been countless arguments over firewalls in the "software vs. hardware" arena. At this point and time, I can say I feel that both have great purpose and functionality. I prefer my Pix because I use VPN tunnels to certain sites that have Cisco on the other side and it makes things easier. The configuration of my firewall is also very simplified with my Pix. I ran a Linux firewall for quite a while and I loved it. With the amount of power available to the modern (or even somewhat outdated) PC, you can leverage plenty of performance out of a marginal box. So, to each there own! Use what works best for you application. Great points on single entry point being easier BTW. Cheers, Wiley -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Chris Travers Sent: Saturday, August 13, 2005 3:36 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Firewall will definatelyincrease jittersinyourvoice conversation Wiley Siler wrote:>The question was not "can I secure a Linux box without a hardware >firewall". The question (or statement really) was "will a firewall add>jitter and lower performance". >A good firewall architecture w/QoS will actually prevent jitter and increase performance, I might add.> That answer is obviously a big NO. Can you secure a Linux (or even >Windows) machine by closing ports? Sure. >It helps immensely. However, an advantage of hardware is that you are >physically separating the traffic from the end point. >The analogy I would use here is that you could purchase a safe for each person in your house and have them each keep all their valuables in it, but it is often cheaper and easier to focus on securing entrence-points. The same is doubly true for office buildings, and also quite true for computer networks. I typically use used P1's running Linux for firewalls. They work great and have all the capabilities I need including QoS and secure management.> Sure, all the >ports closed on a Linux box can protect that machine. However, having >only web (for example) traffic going to your Apache server is really >beneficial. The server can focus on delivering pages and not spend any>CPU cycles on "is this a good packet? Should I drop it?". A firewall >(software or hardware) should also be able to better deal with DOS and >things of that nature. Port securing does nothing to assist with DOS. > >DOS doesn't include a TCP/IP stack does it? ;-) By "Things of that nature" are you including CP/M? Actually port securing can provide some measure of protection against DoS attacks in that fewer services are available to attack. However, you are correct that this protection is probably insignificant.>So... You are totally right, you can secure a box that way. However, >a firewall (be it software or hardware) is far superior a method. >When you say "software" or "hardware" I assume you mean hardware like PIX and software like BlackIce. I am not sure where a stripped down Linux version running on a P1 which does firewalling and only firewalling fits in. I call that type of system a "hardware" firewall simply because it is a dedicated piece of hardware which does perimiter control and only perimiter control. Where VOIP is concerned, use a dedicated firewall system with QoS capabilities. Period. (Yes it is possible to run such a system on Windows, but I certainly don't advise it.)> I >prefer the hardware method myself as it is a matter of management and >additional features. However, for some, a software method may be >better. I ran Mandrake SNF (a shorewall implementation) for a long >time so I have been there. Considering you can run a Linux firewall on>a 386 machine worth $20 makes the fact that so many people don't have >firewalls seem just ridiculous. > >Bear in mind that finding replacement parts (NIC's etc) for your 386 may not be trivial..... That is why I use P1's with PCI slots....... Also it is often impossible to get OpenGK to compile on such a machine due to memory limitations (my P1 firewall even has this problem and it has a whopping 32MB RAM). So the older you go, the less functionality you may be able to add. Best Wishes, Chris Travers Metatron Technology Consulting
Seemingly Similar Threads
- Firewall will definatelyincreasejitters inyourvoice conversation
- Firewall will definately increase jittersinyourvoice conversation
- Please provide a valid license key [T2003090204CB]
- PIX Firewall Ports and Access-Lists
- Pix Firewall Monitoring Software on Linux