Weekly Edition
Return to the Press page| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Cisco Set to Dominate Linux Market? (InternetNews)
(Log in to post comments)
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 11, 2008 20:12 UTC (Fri) by allesfresser (subscriber, #216) [Link]
That annoying phrase near the end of the quote gets my vote for expurgation from the language forever. I tend to downgrade the quality rating of any source I hear using it... not fair, maybe, but that's my own neurosis I guess. :) Also, to contribute something on topic, I don't know if it would be too smart to make a single point of failure with this solution... I'd rather keep my routers a little bit separated from my applications.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 11, 2008 22:54 UTC (Fri) by jwb (subscriber, #15467) [Link]
So, in addition to having some of the worst-performing, least-secure routers in the world, a Cisco customer can also get some half-assed Linux servers from the same jokers? Thanks, but no. I think I would rather continue purging Cisco from my life wherever I happen to find it. Also, in consideration of Cisco's long history of shamelessly ripping off other people's software, I think all open source developers would do well to keep an eye on Cisco's license compliance with this new Linux appliance of theirs.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 12, 2008 15:07 UTC (Sat) by drag (subscriber, #31333) [Link]
Who knows. Maybe Cisco is turning over a new leaf here. I wouldn't put it past them.. Of course Cisco's history is going to hurt them here.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 8:15 UTC (Sun) by jengelh (subscriber, #33263) [Link]
Speaking of software, theirs is not the best either. Example: their VPN Client for Linux which uses a kernel driver. WTF for, if vpnc can do it with a regular tun device? Not only is tun safer, but it also makes the potential legal problems with a kernel driver go away instantly.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 12:54 UTC (Sun) by simlo (subscriber, #10866) [Link]
If they did that, they could not bypass the normal routing table and force you to send _all_ network traffic through the VPN tunnel - otherwise you can bridge the local unsafe network and the company network creating a potential security hole. (But you easily edit the source for that part of their kernel module and avoid it if you want to.)
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 15:18 UTC (Sun) by jengelh (subscriber, #33263) [Link]
They could do that using
ip rule add table 1
ip route add default via tun0 table 1
I think that should send everything to the tun0, with the exception of local (127.0.0.1 and <your ethX addresses>) traffic (you want that to not go through the tunnel). Of course there is no guarantee that table 1 is free, but it is not unreasonable for a userspace daemon to demand so. Especially since user-specific policy routing rules are usually added at the end (i.e. rule #32765, #32764, ... downwards).
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 16:55 UTC (Sun) by drag (subscriber, #31333) [Link]
Are you saying that they are trying to use a kernel module to by-pass root user? That's insane... Because otherwise I don't understand the problem, because what I think your talking about is easy done. Say your on a network 192.168.1.0 with a gateway 192.168.1.1 and you want to connect to a VPN on a mystical internet address 10.1.1.2 with the vpn network being 172.16.23.0 and the gateway on 172.16.23.1.. So.. (this is with openvpn with it's client-to-client and topology subnet) > openvpn --config client.conf > read -p 'press enter when connected' > ip route del default dev eth0 > ip route del 192.168.1.0/24 dev eth0 > ip route add 192.168.1.1/32 dev eth0 > ip route add 10.1.1.2 via 192.168.0.254 dev eth0 > ip route add default via 172.16.32.1 dev tun0 Then setup a simple iptables firewall to block all traffic coming in and out of eth0, except for the vpn traffic. Then, viola, no information going in or out into the local ethernet network.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 16:57 UTC (Sun) by drag (subscriber, #31333) [Link]
oops ip route add 10.1.1.2 via 192.168.0.254 dev eth0 should be ip route add 10.1.1.2 via 192.168.1.1 dev eth0
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 13, 2008 22:04 UTC (Sun) by dan_linder (guest, #88) [Link]
You're right, it is insane but they wanted to make sure they could advertise that their VPN module would nearly completely isolate the workstation from the local LAN traffic. In my case, many of my customers have policies that require the workstation VPN software limit the client OS from talking with the local network for anything other than VPN traffic (makes it a real pain to print locally). Since I'm an outside contractor with VPN permissions and use Linux as my primary workstation OS, if Cisco relied on running iproute commands to limit the connectivity, then I (as root) could un-do that and break the security policy. Sure, there are ways around it, but I'm too lazy to implement some of them, especially when bypassing them could end up in job termination. Dan
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 14, 2008 2:03 UTC (Mon) by drag (subscriber, #31333) [Link]
That's just... er 'WOW'. This though, I know now, is the normal sort of BS that you have to go through to meet bizzare requirements that certifications place on you. So I understand. I understand very very very well. And sadly I am understanding this more week by week. I wonder how long before regular people realize that these layers of bureaucracy and insane certification requirements makes things _WORSE_ instead of better? That these things have the net effect of making things _more_ expensive and _less_ secure as well as dramatically reducing accountability (I followed the rules, your honor. How was I suppose to know...)? (I mean, seriously, depending on Cisco for security is about the same level of insanity as depending on Microsoft to produce a truly open document format)
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 14, 2008 18:06 UTC (Mon) by madscientist (subscriber, #16861) [Link]
Nortel's VPN solution is the same way: they have a kernel module as well. That version does allow the server to allow the client to use split tunneling, where only the VPN-bound traffic goes through the VPN but all "public" traffic uses the native network interface. This allows for a much faster and more reliable user experience, at the sacrifice of some security (since now that host becomes an unsecured gateway onto the private network). Nortel's solution also does something else which I'm not sure Cisco does, to mitigate this: while the VPN is running they disable all incoming connections to privileged ports (ports <1024). That means that, while the VPN is running, no incoming connection to your printer service, ssh, HTTP, SMTP, etc. etc. is allowed. If you use your home system as a server for a local network, this completely shuts down all services unless you've done the work to move them to unprivileged ports. However, it provides slightly better security since it disallows most of the connections that could be compromised to enter the private network through that system. Obviously you could start your SSH server on a different port but the attacker would have to know that port... and presumably someone knowledgeable enough to move the service would also be better at securing the system against attack (yes, I know... but the alternative, to disallow split tunneling, is even less palatable). Now here's the real trick, that requires a kernel module: if you change your routing tables in ANY WAY or try to re-enable those ports, then the VPN is automatically, immediately shut down. I understand where drag's frustration comes from, but I don't see any proof that these facilities REDUCE security. They definitely reduce productivity of an individual, insofar as they have to work within this restricted environment. As always, these things are a compromise: it will certainly reduce a LOT of peoples' productivity if a nasty virus or worm gets loose on the private network. I certainly don't like kernel modules: when I used Nortel's solution it was always a huge pain since they didn't support Debian (my distro at the time) and support for new kernels was very slow to come. If you don't want anything like that, you can get Juniper's VPN solution. Theirs is user-space only and does support split tunneling but doesn't provide the guarantees that Cisco and Nortel's solutions do. The big bummer with Juniper's solution is their install/startup scripting is truly horrible. It works, just barely, on Red Hat Enterprise Linux systems, but refuses to work on most other systems for no reason except that the person who wrote it didn't know what they were doing. Very frustrating. However, since it's a script and the solution is userspace it is possible to work around it: I've written a simple alternative script that works pretty well.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 17, 2008 21:16 UTC (Thu) by nicku (subscriber, #777) [Link]
Nortel's VPN solution is the same way: they have a kernel module as well.Do you know if
vpnc can work with Nortel VPNs? If so, are there particular differences in setup? I need to connect to a Nortel VPN, but am not keen to buy their $95 proprietary software with kernel module and use that.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 18, 2008 0:56 UTC (Fri) by madscientist (subscriber, #16861) [Link]
Sorry, I don't know. And at my new job (well, not that new: I've been there over 18 months now) we don't use Nortel VPN anymore.
Price/performance?
Posted Apr 12, 2008 1:06 UTC (Sat) by dmarti (subscriber, #11625) [Link]
Sanity check time. Compare the price of a Dell or HP commodity Linux server to the price of a Cisco router with similar CPU and RAM. Now keep buying servers from your existing server vendor, run as much as you can on the inexpensive machines, and use special-purpose router hardware when you really, really need it. Check Vyatta and Untangle before you decide that you need it, though.
Price/performance?
Posted Apr 12, 2008 2:09 UTC (Sat) by fjf33 (subscriber, #5768) [Link]
And there is always devil-linux!!!
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 12, 2008 8:55 UTC (Sat) by gdt (subscriber, #6284) [Link]
This has to be seen in the wider context of the router market.
Firstly, Juniper have put a lot of work into third-party accessibility of its routers (which are based on FreeBSD) and this is Cisco's response.
Secondly, this is for branch office routers, where Cisco faces potential competition from PC servers running network services (typically running Linux). A branch office usually has a router and a small server (running DHCP, DNS forwarding, maybe a SIP gateway, that sort of thing). Savings can be made by reducing this to one box -- either by doing packet forwarding in the server or by doing network services in the router. Cisco want that one branch office box to be their box, not some server company's box containing a optical gigabit ethernet card or an ethernet link to a ADSL modem.
Cisco aren't planning for this product to to compete with data center servers.
PS: Having explained Cisco's strategy, I don't think it will work. I think we'll see the next generation of home routers/NAS grow to be used as branch office router/servers. The biggest problem with Cisco's approach is that it doesn't integrate storage, not even a eSATA port.
Cisco Set to Dominate Linux Market? (InternetNews)
Posted Apr 12, 2008 17:32 UTC (Sat) by Requiem (guest, #51519) [Link]
I doubt home routers will be used much, since the reliability is crappy. Cisco and the other business vendors make stuff in the same class for a lot more if you need a router that stays working.
Take a look at the specs
Posted Apr 15, 2008 23:23 UTC (Tue) by shemminger (subscriber, #5739) [Link]
So Cisco discovers how to sell overpriced blades into their routers and the world thinks this is progress? They sell you a closed solution and you have to pay extra for the privilege of running on their hardware, almost sounds like an iScone. See "Dumb and Dumber": http://www.vyatta.org/node/1713