Author Topic: Router / Firewall Hardware (Read 403 times)

dfl8rms · « **on:** December 30, 2002, 03:05:26 PM »

I currently use a Linux system as my firewall and am looking at replacing it with a "black box" approach. Can any of the net gurus recommend a low cost solution? I was looking at the NetGear FVS318 and was wondering if it would be a good choice? Or if anybody is running one, what their experience is with it.

My LAN inside the home varies between 3 and 5 systems (PCs & Unix servers) with one being the work laptop which will need to VPN into the corporate structure (Cisco's VPN solution).

Any constructive / informative comments welcom.

Skuzzy · « **Reply #1 on:** December 30, 2002, 03:29:29 PM »

I do not think you are going to be happy with one of the consumer grade routers once you have used a Linux system as your router.
The consumer grade routers are very slow, have limited memory for tables/translations and are generally a pain in the neck as compared to what you have right now.

Jusr my humble opinion.

dfl8rms · « **Reply #2 on:** December 30, 2002, 06:20:25 PM »

Thanks for the feedback Skuzzy. I was hoping to free up my firewall to be my file server, but I don't want to take a performance hit. I was hoping the appliance approach would be faster than the Linux system.

Ghosth · « **Reply #3 on:** December 30, 2002, 10:44:46 PM »

Find yourself a cheap P133 that could take over the Net duties. Then use current box for file server.

I've found em as low as 10$ in 2nd hand stores, and another 10$ for 13" monitor.

eagl · « **Reply #4 on:** December 31, 2002, 01:50:08 AM »

I have a Dlink 604 and it works fine. The embedded web server that serves up the configuration pages sucks (slow mostly) and it was pretty easy to set up so I could host H2H. I've had to use it's reset button a few times but no major problems. Pings through it seem normal, and I haven't seen any packet loss.

It's pretty full featured and I haven't really found anything to discourage me from using it. It's also really cheap. $33 after rebate including tax from Frys until Tuesday, and you can find them cheap online too.

Skuzzy · « **Reply #5 on:** December 31, 2002, 09:36:14 AM »

Quote

Originally posted by dfl8rms
Thanks for the feedback Skuzzy. I was hoping to free up my firewall to be my file server, but I don't want to take a performance hit. I was hoping the appliance approach would be faster than the Linux system.

The appliance routers will be slower than the Linux system. They do not do any type of load balancing, which you can configure your Linux box to do without any troubles.
Any one computer could dominate your Internet connection with the appliance solution.

What's the CPU speed of your Linux router? A 233Mhz system is more than ample for routing purposes with a couple of good Ethernet cards.
If your CPU is much faster, you may be able to get away with using it as a file server and router without impacting the network chores.

Wlfgng · « **Reply #6 on:** December 31, 2002, 11:11:30 AM »

there is a Linux based black-box that is router/firewall/email server if you're interested.

it's made by Esoft (division of Interlocken)
called the Instagate EX.. don't know if that's what you're looking for or not...

eagl · « **Reply #7 on:** December 31, 2002, 01:31:17 PM »

Skuzzy,

I agree with you 100% except that almost everyone I know, including XX who was teaching Cisco networking at Cisco and is now the network admin for a major international corporation, has had their linux box rooted. I've been the subject of occasional intense port probing that is clearly looking for services a typical linux installation might have, and some of those probes are "brute force" attempts looking for overruns and other more insidious vulnerabilities. If I had time to monitor and patch it daily, I'd be using a *nix based router/firewall but since I don't, I am going with the "next best" solution, a hardware based router/firewall and a software watchdog inside the LAN to catch anything that originates from inside the LAN or sneaks through the router.

BTW, XX found out he'd been routed when a software firewall INSIDE his own lan noticed his linux box attempting to infect the other computers on his lan while keeping a back door open to participate in DDOS attacks, so even with a good firewall it seems logical to have some sort of internal watchdog operating inside the LAN. I personally use BlackICE defender because even with it's limitations, it's interface is extremely readable, with a real-time display of external hits, ip addys of attacker and victim, ports used, any passed parameters, hit count, and if it recognizes that the attacker is using a known exploit, it identifies it. It's very clear and makes a fine second-layer for a non-expert.