[Dshield] firewall help request

Lauro, John jlauro at umflint.edu
Fri Oct 3 17:20:22 GMT 2003

> Cyberguard has per applience licencing. It costs alot. but security 
> allways costs...
> About what scalability you're talking about? I don't think, 
> you can manage 
> some dozens of linux boxes so easily as cyberguards (or ciscos, or 
> checkpoints, or sonicwalls, or...) managed thru centalized

If that was true, do you honestly think Linux would be as popular as
it is?  I never used cyberguards, so I can't state for sure which is
easier...  However, if you know what you are doing it is no problem to
manage dozens of linux machines centrally.  Certainly much easier then
dozens of windows boxes running checkpoint, etc....

> Ok, I wasn't right about iptables capabilities(sorry, I'm not 
> working with 
> linux so much this days ).
> If we are talking about small amount of boxes - yes, linux means
> scalability, more features, more posibilities.
> but in case of running more then N boxes(N<10), linux 
> firewalls TCO hardly 
> will be cheeper: you need to patch every box separately, to 
> modify rules 
> separately. So in big networks you receive more overhead, 
> more complex 
> network to understand, so more propability of having holes in 
> security.

*You* might need to, but I certainly would not have to patch every box
separately or modify rules separately, etc...  I think you are
confusing linux with Windows....  (actually there are way to do things
centrally with windows too, but IMO it's much easier in Linux to
centralize and lower your TCO).

If anything, Linux TCO is higher when N is small.  There is a slightly
higher learning curve (no higher then Unix) to be proficient at it.
As N grows, the ability to centrally manage it grows and the
difference between managing 10 boxes or 100 is minimal (not couting
actual hardware maintenance).  Unlike windows, going from 10 to 100
can easily be tripple the work...

More information about the list mailing list