I have a friend of mine that wanted to do sometihng like this because the firewall would by in a VERY dusty environment and he didn't want a lot of moving parts.
the problem he found with flashcards was that it was only made for a certain number of writes before it goes bad. This wouldn't work for the firewall beacuse of all the logging that goes on.
Spot on! Flash is good for occasional updating (like for once in a while config data changes), but for constant writing it degrades quickly. [I also seem to remember reading that it also degrades over time, but don't hold me to that one.]
The way you want to go is use the newer and quieter (and a little more expensive) fluid ball-bearing hard disk technology with a quieter system unit fan. If you can afford to sacrifice some of your CPU speed, you can even get away without fans by using some of the newer tricky heat sink technology...
Spot on! Flash is good for occasional updating (like for once in a while config data changes), but for constant writing it degrades quickly. [I also seem to remember reading that it also degrades over time, but don't hold me to that one.]
The way you want to go is use the newer and quieter (and a little more expensive) fluid ball-bearing hard disk technology with a quieter system unit fan. If you can afford to sacrifice some of your CPU speed, you can even get away without fans by using some of the newer tricky heat sink technology...
And another confirm on Flash as harddisk. I think there are solid state disks better suited for that but still not for heavy writing. Your digital camera will do less writes in a lifetime than a firewall does in one hour.
But I vote for an ASL on Embedded variation. Choose Embedded and it strips all store and forward proxies and local logging. Logging is only done in RAM by default (not too useful) until you point it at a logging server. Proxies are all at the network level like NATs. No Squid, SMTP, etc that needs disk space and frequent writing.
Could be a bootable CD with configs on floppy or Flash.
I agree; something where you can choose to have it all in memory and how often to be checkpointed to disk (some shops need the constant log preservation, whereas others have a greater need for the performance offered by not continually accessing the disk). I did another post discussing how it could be done using a Linux solid state drive mechanism...
I'll have to search for that thread. I'm very interested in quieter and lighter on energy devices. The parts are there, Linux, firewalling, nice GUI. Just need to be able to select parts and have it fit in a smaller space. Benefits of a commodity SOHO router, low pwer, quiet, GUI ease. Benefits of a big distro, GPL Linux and parts, highly configurable, more secure and capable. Add the ASL value added config and I'm very happy.
For a proper embedded system it is handy to be able to create the package on a real desktop and then dumped to CD or Flash for final install. Uses the power of a full CPU for packaging and future mods. I don't like compiling on what should only do firewalling.
I think tonight I'm going to set-up a VMware ASL install just to play with the guts. At minimum I want to create and test things for the real boxes. PlusPack and compilers on the firewall isn't the safest thing IMHO.
I had posited this with Astaro as a security achitecture approach; the advantage is flexibility (especially with VMware's coming ability to relocate server processes), the disadvantage is it's more inefficient utilization of resources (but is this now evaporating due to hyperthreading??).
The security advantage is open to debate. At first blush, you might think that it has to be more secure since exploits that occur in seperate OS spaces leave other spaces unaffected. But are there exploits lurking in the VM substrate?? Just after I had started discussing it a few months ago, a VMware file exploit was discovered!
I think we will get an idea of VMware's solidity in the months ahead, what with its greater adoption and use; field testing will be showing us. But if VMware revamps its code base for many new features and rush that out, they will be in the security doghouse along with a few other software vendors...
