iptables vs Cisco

Isn't that called a Watchguard firewall? (And numerous other lesser-known brands).

Alot of low-end boxes run embedded linux, and use iptables for their firewall portion..

Thanks

So feature-wise, is iptables comparable to Cisco's firewall?

It depends what you mean by firewall. Do you literally mean, a set of ACLs? If that's the case, then yes, they are broadly comparable. There's even a bit of software than can produce Cisco ACLs, iptables rules and pf [BSD] rules from the same rule set.

Or do you mean a piece of hardware with LAN and WAN interfaces that can control access and provide VPN services etc? Linux can do a lot of what a Cisco firewall can do. In fact I wouldn't be surprised if ASAs are running embedded Linux, with all you get from Cisco being a name and a set of management tools.

Shouldn't those virtual LAN stuff be separated into another switch? I meant not overloading one device to do everything....

Specialization also guarantees better security, I *suspect*....

Just like politics, power are divided among people...

In most of the cases, iptables vs CBAC/zone-based firewall (because there are actually two stateful firewalls in IOS already) are comparable. The devil is in the details - IOS has a broad set of application/protocol specific plugins - which identify protocols and then allow to put some additional checks on the logic of the transmission.

What's more important is the integration of other features with the firewall - IPsec (with static and dynamic tunnels, and without tunnels at all - GET) and SSL VPNs, VRFs, NBAR/FPM, CoPP, QoS, unicast & multicast routing, voice technologies, IP SLA features, MPLS capabilities, NetFlow, OER/PfR, IPS and load of other stuff. Depending on the scenario you don't need all of this, or you need just a selection of it, but at the end of the day - it's in single image, ready to run from boot (IOS) vs configuring/installing (Linux box, even if some custom distro). There a lot of people that will tell first scenario is better, a lot of them that the second one is better - a lot of it depends who's gonna run this and how much time can be spent on actually keeping it running. But I understand the question (iptables vs cisco) was purely academic one ('get me a list with checkboxes and i'll decide which one is the better one').

Actuall from 8.0 onwards, Cisco ASA runs Linux kernel, but it's used only for starting up the box and doing some I/O work - ASA/PIX specific code runs as a task and performs all the features of the box by itself. So no shell, no iptables, no KDE :)

Hello Man-wai Chang ToDie,

Fortinet have some firewalls running Linux. All devices also have hardware based acceleration. I am not sure if firewalling is hardware/ASIC or Linux.

Hello Man-wai Chang ToDie,

Linux iptables have lots of features and have extensive modules. You can do a lots of cool stuff with it when you have learned the inner workings of iptables.

The reason I do not use Linux is problems with unstable dynamic routing - zebra. I hope those problems are fixed now. I had to switch a few years ago.

With the arrival of solid-state harddisk, the days of multi-purporse hardware iptables/linux would soon come...

Zebra is stalled since some years. The preferred routing software is now quagga.

Hello io,

I know. At that time quagga was just starting to get out. But I was forced to switch solution after a long period of time whis stability problems.

Cisco has not been threatened by IPtables on Linux.

Cisco PIX/ASA Firewall - stateful packet inspection, has a permit/deny based access-list Cisco IOS Router - no stateful packet inspection, has a permit/deny based access-list IPtables - packet inspection is unknown, has a permit/deny based access-list

IPchains has been around for a while and IPtables is still around. Both are SOFTWARE based and will not be as reliable in corporate environments which depend on stability. Cisco IOS routers with access-lists and Cisco PIX/ASA firewalls are not only HARDWARE based and more simple in their primary function, but they also offer more hardware options.

• A Linux system with IPtables will not be able to easily put an access-list on a connection to a T-1 line because Linux runs on PCs and PCs do not commonly have T-1 CSU/DSUs. Cisco routers do have other interface types. * A Linux system with IPtables can permit and deny network traffic on an Internet facing ethernet interface but additional software packages would have to be added to host VPN connections, remote firewall management, and other built-in Cisco device features. Cisco devices, especially firewalls, have many other features built-in. * A Linux system with IPtables, being an open-source distribution product, does not have the industry backing of a corporate product. For this reason, many companies shy away from freeware open-source solutions when reliability and accountability are factors in maintaining services. Cost savings means little when an outage can rake up hundreds of thousands of dollars in company loss in just a few hours.

Not to needle you on your last point, but given Cisco's latest website boner, I had to chuckle at the point of pushing a commercial option vs. opensource. Your point is taken, just had to chuckle given the situation. :-)

...

No longer true as of about 5 years ago.. CBAC/IP Firewall/Zone config is stateful packet inspection...

I like my T1 customers with linux routers, they think its a good idea until, oh S***, my hard drive blew on my router. We'll be down for half a day rebuilding it. They soon ask and implement dedicated router hardware after that..

Hello Doug,

That can be planned for.

Dedicated router hardware can fail as well.

What you need is a good contingency plan. And you should have one whatever solution you go for!

just to ask iptables, is it comparable to ipcop [as an alternative to cisco]? [also on linux andf also router/firewall]

we have cisco on our vpn corporate network over internet, but an outer supplier is trying to migrate us onto ipcop

thnx!

IPcop uses iptables.

I agree!

A Cisco sales representative and system engineer were out 2 days ago and they could not explain the outage. From what I saw, it affected the CCO login side of the website. The public side seemed fine.