This post is a reply to a question on digital point forums. It was a good question so I decided to elaborate in here.

The question was why would a commercial firewall be any better for use than a Linux + snort setup on an enterprise environment (protecting a servers).

I know this will draw some flames, but I am ok with it.

So here are my 2c on this matter.

First of all I would like get some stuff out of the way:

In my answer I use Checkpoint as the commercial firewall example. Why? Because its the product I am most familiar with.

Checkpoints products are not perfect, they have issues just as any other solution, and trust me, I did send them my feedbacks.

Lets start off with a little review of both solutions capabilities.

Linux + Snort (Linux from now on) -

This is the “cheaper” solution. You setup a server with your favorite Linux distribution, configure iptables in one way or another (really nice we interfaces out there), then install snort. You can install snort as an IDS, or combine it with iptables to make it an IPS. Personally I cant see Snort as an IPS. No to go in to deep on this matter, I think that it would take too much time to configure it so that it doesn’t have too many false positives. Most IPS products in the market try to have a more conservative signature base. In general, you can tailor almost anything into this solution.

Checkpoint -

There are many setups you can go here, but ill list what is closest to the previous solution. I assume you will run Checkpoint R65 running on Secure platform and have Smart Defense and Web Intelligence enabled. Lots of terms here that I will explain now: Secure Platform (splat) is a secure Redhat based Linux distribution that Checkpoint compiled. Smart Defense is Checkpoint’s application level firewall (mini IPS/IDS). Web Intelligence Smart Defense’s web application firewall. I cant see Smart Defense and WI compete with Snort, as they are much more basic. For every feature you need a license, so this adds up.

The battle begins now.

The shorter version is that managing and troubleshooting are the key to why I chose a commercial firewall over Linux.

For example, on our server environment we might want to implement a cluster setup for redundancy. This is really easy with Checkpoint. You have two modules and a management server, a few clicks and you have a functioning Active Passive or Active Active cluster. With Linux and iptables, it will take more time and skill.

Logging is what I think to be the most important part of the whole solution. If you cant use the logs in a fast and clear way, your whole firewall is worth nothing. This is where Checkpoint excels. You can view and filter all of the logs in a very intuitive way. When trying to troubleshoot or understand a security event, you want to do it fast, and know that you can trust your logs. With Linux, this would be harder. You will probably send the logs to a remote syslog server, but I cant think of an application that would display the logs as Checkpoint does.

Policy maintenance in Linux can be made easier with web administration tools. On this matter I will have to direct you to Checkpoint’s for a download of its demo Smart Console. Once you try the demo, there will be no need for me to elaborate on how easy it is to maintain rules and policy. Remember that when your policy is not clean and clear, it leads to security holes.

Deeper protocol inspection is something that you get by default with Checkpoint. The firewall “knows” how http, https, ftp, irc etc.. work. It knows when it is ok to open a data connection and when it is not. It knows that X11 can be dangerous. Though it will not give you full IPS capabilities, using Smart Defense and WI, will give you good protection out of the box. If a big new worm spreads, you will be able to update the system, and be protected. Running Snort may give you much more protection on an IPS level so as for logs on attack events. The problem is that Snort will give you more false positives, and will be much harder to configure. This is why I like to see the IPS features as relevant to a larger solution, and not for an all in one firewall, IPS coffee maker..I will go deeper into this on another time.

Troubleshooting is where you need good information sources. Checkpoint is a company that makes firewalls, they have your needs in mind. They provide good tools to troubleshoot their products. From a GUI Smart View Monitor, that shows you the health of the system, to low level CLI commands that will point you to what is wrong. With Linux you will have to use different tools designed by different people for different needs.

Support is not that simple when it comes to the Linux solution. As I mentioned, this solution was tailored by different products, so that means that when you have a problem you have to go to all sorts of resources. When it comes to a vendor firewall, no matter what brand, you will have one source to go to. Most vendors keep high standards for their partners, and require variable levels of certification in order to sell the products. All companies hold a large knowledge base that you can access from the Internet. There is someone you can go to. I sure did have a few problems with such tech support, but I always go an answer. The bugs were fixed. Why? Because I am a paying customer. This point is very important in an enterprise environment.

As you can see, by adding up all these variables, a vendor firewall solution might work better for your environment.

The rest is up to you.

By the way, I am not, and never was a Checkpoint employee.