asterisk users - Aug 2005 - Firewall will definatelyincrease jittersinyourvoice conversation

Typically a "hardware" firewall is specialized and uses ASICs. 
Because
the solution utilizes specialized chips tailored to the task, this is
considered a hardware based solution.  Of course software is involved
but it too is specialized and is even proprietary in nature.

A "software" firewall, be it BlackICE or even a Linux on PC uses no
specialized hardware.  Thus the "software" designation.  It runs on
pretty much any x86 hardware (Linux at least) and is not proprietary in
nature.

That is the general meaning when people say hardware or software
firewall.  Sure, both technically use some form of hardware and
software.  But the specialization of that hardware is what makes it
designated as hardware based or software based.  There have been
countless arguments over firewalls in the "software vs. hardware"
arena.
At this point and time, I can say I feel that both have great purpose
and functionality.  I prefer my Pix because I use VPN tunnels to certain
sites that have Cisco on the other side and it makes things easier.  The
configuration of my firewall is also very simplified with my Pix.  I ran
a Linux firewall for quite a while and I loved it.  With the amount of
power available to the modern (or even somewhat outdated) PC, you can
leverage plenty of performance out of a marginal box.  So, to each there
own!  Use what works best for you application.

Great points on single entry point being easier BTW.

Cheers,
Wiley










-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Chris
Travers
Sent: Saturday, August 13, 2005 3:36 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [Asterisk-Users] Firewall will definatelyincrease
jittersinyourvoice conversation

Wiley Siler wrote:
>The question was not "can I secure a Linux box without a hardware 
>firewall".  The question (or statement really) was "will a
firewall add
>jitter and lower performance".
>
A good firewall architecture w/QoS will actually prevent jitter and
increase performance, I might add.
>  That answer is obviously a big NO.  Can you secure a Linux (or even 
>Windows) machine by closing ports?  Sure.
>It helps immensely.  However, an advantage of hardware is that you are 
>physically separating the traffic from the end point.
>
The analogy I would use here is that you could purchase a safe for each
person in your house and have them each keep all their valuables in it,
but it is often cheaper and easier to focus on securing entrence-points.
The same is doubly true for office buildings, and also quite true for
computer networks.

I typically use used P1's running Linux for firewalls.  They work great
and have all the capabilities I need including QoS and secure
management.
>  Sure, all the
>ports closed on a Linux box can protect that machine.  However, having 
>only web (for example) traffic going to your Apache server is really 
>beneficial.  The server can focus on delivering pages and not spend any
>CPU cycles on "is this a good packet?  Should I drop it?".  A
firewall
>(software or hardware) should also be able to better deal with DOS and 
>things of that nature. Port securing does nothing to assist with DOS.
>  
>
DOS doesn't include a TCP/IP stack does it? ;-)  By "Things of that
nature" are you including CP/M?

Actually port securing can provide some measure of protection against
DoS attacks in that fewer services are available to attack.  However,
you are correct that this protection is probably insignificant.
>So...  You are totally right, you can secure a box that way.  However, 
>a firewall (be it software or hardware) is far superior a method.
>
When you say "software" or "hardware" I assume you mean
hardware like
PIX and software like BlackIce.  I am not sure where a stripped down
Linux version running on a P1 which does firewalling and only
firewalling fits in.  I call that type of system a "hardware" firewall
simply because it is a dedicated piece of hardware which does perimiter
control and only perimiter control.

Where VOIP is concerned, use a dedicated firewall system with QoS
capabilities.  Period.  (Yes it is possible to run such a system on
Windows, but I certainly don't advise it.)
>  I
>prefer the hardware method myself as it is a matter of management and 
>additional features.  However, for some, a software method may be 
>better.  I ran Mandrake SNF (a shorewall implementation) for a long 
>time so I have been there.  Considering you can run a Linux firewall on
>a 386 machine worth $20 makes the fact that so many people don't have 
>firewalls seem just ridiculous.
>  
>
Bear in mind that finding replacement parts (NIC's etc) for your 386 may
not be trivial.....  That is why I use P1's with PCI slots.......

Also it is often impossible to get OpenGK to compile on such a machine
due to memory limitations (my P1 firewall even has this problem and it
has a whopping 32MB RAM).  So the older you go, the less functionality
you may be able to add.

Best Wishes,
Chris Travers
Metatron Technology Consulting