[Asterisk-Users] Firewall will definately increase jittersinyourvoice conversation

Chris Travers chris at metatrontech.com
Sat Aug 13 15:35:33 MST 2005 

Wiley Siler wrote:

>The question was not "can I secure a Linux box without a hardware
>firewall".  The question (or statement really) was "will a firewall add
>jitter and lower performance".
>
A good firewall architecture w/QoS will actually prevent jitter and 
increase performance, I might add.

>  That answer is obviously a big NO.  Can
>you secure a Linux (or even Windows) machine by closing ports?  Sure.
>It helps immensely.  However, an advantage of hardware is that you are
>physically separating the traffic from the end point.
>
The analogy I would use here is that you could purchase a safe for each 
person in your house and have them each keep all their valuables in it, 
but it is often cheaper and easier to focus on securing 
entrence-points.  The same is doubly true for office buildings, and also 
quite true for computer networks.

I typically use used P1's running Linux for firewalls.  They work great 
and have all the capabilities I need including QoS and secure management.

>  Sure, all the
>ports closed on a Linux box can protect that machine.  However, having
>only web (for example) traffic going to your Apache server is really
>beneficial.  The server can focus on delivering pages and not spend any
>CPU cycles on "is this a good packet?  Should I drop it?".  A firewall
>(software or hardware) should also be able to better deal with DOS and
>things of that nature. Port securing does nothing to assist with DOS.
>  
>
DOS doesn't include a TCP/IP stack does it? ;-)  By "Things of that 
nature" are you including CP/M?

Actually port securing can provide some measure of protection against 
DoS attacks in that fewer services are available to attack.  However, 
you are correct that this protection is probably insignificant.

>So...  You are totally right, you can secure a box that way.  However, a
>firewall (be it software or hardware) is far superior a method.
>
When you say "software" or "hardware" I assume you mean hardware like 
PIX and software like BlackIce.  I am not sure where a stripped down 
Linux version running on a P1 which does firewalling and only 
firewalling fits in.  I call that type of system a "hardware" firewall 
simply because it is a dedicated piece of hardware which does perimiter 
control and only perimiter control.

Where VOIP is concerned, use a dedicated firewall system with QoS 
capabilities.  Period.  (Yes it is possible to run such a system on 
Windows, but I certainly don't advise it.)

>  I
>prefer the hardware method myself as it is a matter of management and
>additional features.  However, for some, a software method may be
>better.  I ran Mandrake SNF (a shorewall implementation) for a long time
>so I have been there.  Considering you can run a Linux firewall on a 386
>machine worth $20 makes the fact that so many people don't have
>firewalls seem just ridiculous.
>  
>

Bear in mind that finding replacement parts (NIC's etc) for your 386 may 
not be trivial.....  That is why I use P1's with PCI slots.......

Also it is often impossible to get OpenGK to compile on such a machine 
due to memory limitations (my P1 firewall even has this problem and it 
has a whopping 32MB RAM).  So the older you go, the less functionality 
you may be able to add.

Best Wishes,
Chris Travers
Metatron Technology Consulting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chris.vcf
Type: text/x-vcard
Size: 127 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050813/29c68744/chris.vcf

More information about the asterisk-users mailing list