Slashdot Mirror
Checkpoint Porting Firewall-1 to Linux
booboo writes " Stuck with a firewall on NT? InformationWeek has the news that Checkpoint has announced plans to port their Firewall-1 and VPN-1 code to Linux (2.2 kernel) "
← Back to Stories (view on slashdot.org)
Me neither ... and actually I hardly ever administrate my servers from the console ... so I guess it will be possible to administrate remotely ...
True, ipchains doesn't do those things you describe. It's not supposed to; but some of them are done by advanced routing. Advanced routing gives you a way to manage more than one routing table with different rules, and translation of netblocks is supported. I doubt that checkpoint can do more in the IP forwarding arena than ipchains + advanced routing.
;) If you want to filter what external URL's your users access, the place for that is the proxy server, not IP routing.
``Antivirus'' at the firewall level is ridiculous to me. Good operating systems don't suffer from viruses anyway.
That leaves VPNs: bit out of my area. But aren't there IPsec solutions for Linux? Someone also wrote open source PPTP client and server software, so you can support the native Windows VPN mechanism.
It's not something I'd looked at yet, but I'd sort of assumed that there was some sort of VPN available for Linux. If there isn't, I would have expected this lack to form a major chunk of MS's Linux Myths. Did I miss it? Or is there a VPN available independent of ipchains?
Just wondering.
It almost embarrasses me to say it, but I suggested Linux to Checkpoint something like 3+ years ago, at an Interop show in Las Vegas. They could have provided a CD and a boot floppy, that would have put up a pre-configured minimal Linux system with all the loopholes closed. Boot from the floppy and install, and *poof* instant firewall.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Are there any sites or docs on what I can use to do this with?
"Klaatu, verada, necktie!" -Ash
Reminds me of a story. Ok first of all I'm all for 'big name' commercial products to be ported to Linux. There's plenty of reasons. And if they're not free ... well nobody forces you to use them. ... ... I was to install a mail server there for a specific purpose ... So I ask the guy in charge of the firewall to open SMTP for me ... Aaaah ... It takes him hours to figure how to do it ... yeah, complicated manoeuver indeed. I look over his shoulder, and there's like, a hundred of useless rules in his setting. He could'nt even know what they were for. ... for 'SECURITY REASONS'!!!!!!!! AHAHHHHAHAHHAHA.
Anyway, I did some consulting for one big american media company who relies heavily on networking for its business. Like, the reliability of their network is a matter of life and death to them. More exactly, 1 hour without network could mean, what, a direct loss of $1 million, not counting the indirect loss from disgrunstled customers etc
Aaaanyway
So what, he opens port 25. Great. He learnt something that day, port 25=SMTP. I set up my thingie, and shit, it does not work!
What the fuck is wrong. After 30 min of struggling, I start to realize that the DNS server is not working. I inform the guy. "Oh but you never told me you needed the DNS!" AAAAAAAHHHHHHHH. So he turns on the DNS. I go back to the server. Still does not work! This time, I can't get incoming connections! Back to the guy. "Oh yeah I thought you just needed DNS." WTF???? Ok back to the machine. I CAN'T GO OUTSIDE!!!! I CAN'T OPEN OUTGOING SMTP SESSIONS!!!! AAAAHH!!!
The guy had forbidden outgoing SMTP connections
I try to not LART him. The scariest part, of course, was the fact that despite his misplaced paranoia, there were probably dozens of REAL security threats wide open in his configuration.
Bottom line: a GUI will not make a network administrator. And if a sysadmin is expensive, that's because there's a reason to it!
You wouldn't be running checkpoint at home. a) it'll probably be priced well out of a home user's range. b) it is overkill. Checkpoint is a business firewall for people who need a "real" firewall and not a simple packet filter. You certainly aren't going to throw checkpoint on whatever old POS linux box you have lying around. You start fresh with a new OS installation, harden it, install checkpoint, etc. Anything else could be compromised or bug ridden.
The difference being Checkpoint Firewall-1 is the #1 commercial firewall in use today. That is a big step for Linux. Now if only FW-1 didn't suck. ;-)
I'm not a Firewall-1 expert but it does have stateful inspection - as with ipmasq modules for Linux that support ftp, realaudio, etc, stateful inspection looks at each flow to extract port numbers etc, then opens up appropriate ports for the corresponding data flows.
Stateful inspection can be defined for new protocols by writing a relatively simple script - quite a bit easier than writing an ipmasq module.
Firewall-1 also has quite sophisticated NAT facilities that can do static NAT, not just dynamic NAT. Last time I looked at Linux NAT there seemed to be quite a few packages for it, none of which seemed to be 'the one'.
Firewall-1 is also quite well packaged, with a decent GUI for viewing and modifying rules. Although it's a pretty complex product, it is well integrated and tested as a whole.
There are quite a few companies out there who prefer Solaris to NT for Firewall-1, and will no doubt jump at the chance to use Linux. Security gurus would probably be even happier if it used OpenBSD, but that doesn't have the same market share as Linux.
I agree that a SecuRemote client would be my first choice over the FW/VPN but hey, at least they didn't say "No". Best I can hope for I suppose. Thanks for the info.
"Klaatu, verada, necktie!" -Ash
It's nice seeing software ported to Linux as it's a good *nix, but Checkpoint are just following the dollars, if they were serious about building a secure product they would've used OpenBSD as base.
So does this mean they are going to release the SecuRemote VPN client for Linux as well?
I bet we'll see many more companies coming out to support Linux and other OS's because of the ruling against M$. I'm looking forward to seeing what happens during the next few months. Exciting times for Linux!
when ipchains in the kernel can do it all and more ?
The fact that they're porting this to Linux is known to me (and if someone noticed in the Linux kernel mailing list) for quite sometime..
I wonder WHEN they will put a public beta at their web site?
Does Linux really needs this product?
Hetz (Heunique)
but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide? Dont get me wrong, I LOVE seeing companies move towards Linux, I'm just curious why I would need a package like that.
Am I just being nieve ? What can a commercial firewall do that Linux can't when using the built-in kernel features etc...
the 2.2.12 kernel. (Just to be a nitpick.) Anyway, this looks promising, with the slight exception of those users using older versions of Linux.
The big thing in my case being, I've got a Debian box that I haven't updated in forever, cause I haven't needed to. (Mama taught me that if it's not broken...)
So, how is this going to affect me? Probably not at all, as I won't be purchasing this router at home. At work, we keep a lot more current (for obvious reasons) than I feel I have to for my little proxy setup.
Maybe it's just me, but it seems like it would have been smarter to port the hardware to older kernel versions, as your newer kernels are going to be more backwards compatible than the old ones can be forward.
Oh well, notch one for good intention I guess...
Don't know what I was thinking, but if you would do me the favor, ignore all references to hardware in my post... If it makes you feel better, you can even replace it with software... whatever makes ya happy. thank you.
...but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide?
Probably an nice GUI, advanced auditing, and an integrated easy to use solution with good support.
Checkpoint is (IMHO) THE leader in firewall security, so it is very likely they have a few tricks up their sleeves that we do not (for now.)
JERUSALEM CITY, ISRAEL - November 1, 1999 - The Mossad.
The Mossad has announced today a surprising turn in the world of espionage: The Mossad has announced it will release the sources of the Mossad backdoor to Checkpoint's Firewall-1 and VPN-1 product together with other (yet unnamed) backdoors in other Israeli developed products under the GPL. The surprising move seems to be related to CultOfTheDeadCow releasing the source of it's BackOrifice remote management program under the GPL some time ago and to the recent initiative of the CIA to open a CIA sponsored start up for developing high tech espionage products.
The Mossad spokesperson, Zach Lohem-zedek, commented that the major reasons behind this announcement were the dwindling budget of the Mossad in the current age of peace and success the Mossad have had in the past in utilizing Open Source tools such as Linux for it's day to day work.
About the Mossad
The Mossad is the Israeli counter intelligence agency (similar to the CIA in the US). It was funded in *T&^!@ by *^&&*! and 28&*Y(@!93^(. To contact the Mossad please pick up your phone and say, in a slow and calm voice: "Roger this is karma. The bat has swallowed the can, over" and hang up. You will be contacted shortly.
(C) 1999 Mossad, Israel.
Gilad.
This firewall is an overpriced piece of crap. We ran the NT version in the office for several months and it crashed several times, ran slow, and slowed down our internet connection. Eventually we just got rid of it and are now using a simple packet filter on a router instead.
I know of the Dominoe port, The X client version of Notes is news to me! Do you have more info on this? Gracia, Code Warrior
How does FW-1 and VPN-1 confine you to NT? Our office has been running FW-1 on a SparcStation 5 for quite some time...
> I'm not sure that you can
distribute kernel modules without some kind of GPL
As an exception Linus made, you may distribute binary-only modules, and the kernel has not to be modified in any way. But then the maintenance is completely up to you. This is how it has been done for the SBLive drivers, until Creative released the sources.
Please note that modules binaries are strongly kernel-version dependant, so if you provide a binary-only module, you'd provide it at least for more than one version of the kernel. This usually is bad (because you are stick with a few kernel versions supported), but IMHO it's not so bad in this case (a firewall machine is a firewall and nothing else, usually).
My 0.02 Euro.
I cannot see the point in using closed source code on anything as fundamental as a firewall. Most closed source products I have seen have some form of back-door built into them for the manufacturers own use, but this mechanism does often fall into the wrong hands, and I have seen dissasterous results as a consequence.
The last commercial firewall I saw was Borderware. It was utterly appalling. The hardware choice was very limited - only certain SCSI cards were supported, and network cards had to be set to specific I/O addresses and IRQs. Finding a platform it would run on was difficult, sometimes impossible. It could only be configured by a very slow Java interface, which due to differences in Jave meant that the only supported client interface was a particular release of Netscape Navigator.
Finally, and most insulting, a customer of mine had a serious security breach, allowing remote users to use the firewall as a mail relay. Borderware were aware of the fault, and stated that a fix would be available in the next release, due out in 6 months time. Unbelievable!
I will never run a commercial firewall - they are mainly installed by the ignorant.
There is a lot of good commercial stuff out there, but when I have the choice/need I either use a sidedwinder or custom OpenBSD box. Firewall-1 is highly commercialized and is what us real Unix admins use in the real world (compared to the ipchains BS that you linux kiddies use.) FWIW, Firewall-1 has been ported to FreeBSD for over a year, thanks to the IP-400 at Nokia. From what I remember, they were running Firewall-1 on top of FreeBSD 3.2.xyz or something.
15% annually to get every stinking upgrade that comes down the pike is cheap, IMHO.
The unsig!
Earlier last week I revieved an email from our R&D group stating some performance numbers and a bit of comparison to NT. Not suprisingly an untuned linux box outperformed an NT box by 30% in some tests. Linux stomped all over NT in the entire matchup. In response to an ealier comment here, I suspect the GUI will be ported to Linux. I'm not a GUI programmer but we allready have a solaris motif GUI now, I guess it would just be library or two to make it work. Anyhow FW-1 is a great product, I'm not just saying that because I work there. It brings to Linux a real foot hold in the gateway/vpn arena, and with linuxs cheapness I think we will kick some ass next year. Hell we allready have over 65% of the market, beating out the likes of Cisco and all others. I will keep /.'ers up on the situation as it unfolds =p
whatever man, u just don't know how to RTFM. Stating the FW-1 is an overrated product just goes to show u'r ignorance of the topic. I've messed with Gauntlet Raptor and PIX and NONE are as easy to setup and robust as FW-1. It's the only product out there that actually defines FW-1 (thanks to statefull inspection).
I've used the PIX - while FW-1 has more features, 9 out of 10 times the PIX is adequate and likely to cause less trouble than FW-1. FW-1 is too complex - they make you buy that management console just to install the rule base. I'd rather do it from the command line. Of course, you can do it from the command line - it's just poorly documented and not recommended. Firewalls should be like most routers - embedded systems, no harddrives, etc. Network equipment shouldn't have full OSes. Less to worry about.
Remember, X is a network protocol. Just because you're not running an X server on the server, doesn't mean you can't
export DISPLAY=somhwere.else:0
XAdminGUI
on the server.
Yes, bu then you just have to develop in a country without silly software patents - eg. Europe.
Microsoft's NSA_KEY
'nuff said...
an unofficial linux port has existed inside Checkpoint for at least a year and a half.
Pretty interesting. Could you give a hint where to look?
My company would be very interested in a device like this.
For those of us who have to manage Checkpoint Firewalls (on Solaris) this is great news, if only because we could now use a CP Gui manager in Linux!
That's one more Windows app I can throw in the garbage.
You got it. Thats why the DOJ uses OpenBSD.
A Line-by-line security audit makes a big difference.
Do you think MS will do a Line-by-line security audit to Win2K? Ya right!
You wouldn't put a top of the line Medeco on a balsa-wood door would you?
What people are missing..."we already have ipchains, etc"...is this is another commercially supported product, sure IT people will say "we can support that" but the CFO is going to say "who's gonna offer you support?"
(Just being silly.)
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
I didn't say anything about software maint. But since you brought it up, I think it's ok. What bothers me about it is when they want you to pay for maintenance to get stuff like security patches and bug fixes. Maintenance for version upgrades(new/refined features) is good though.
Firewall-1 has "quirks" on every platform. That's why it SUCKS.
Alas, it's exactly that kind of sucker attitude among customers that has brought us to where we are today in the software world.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
They do. -- search for network appliance on their site. Actually it is FreeBSD though.
I have configured both too and I prefer FW-1, probably because I like a good GUI inteface and FW-1 has one, PIX is commandline, and they are different from standard IOS as well. The PIX is not *that* different in terms of points of failure either. It still has an OS and has a motherboard, cpu inside too. It even has a floppy drive! Don't let the moniter-less look fool you...
That's what ipchains is missing. Checkpoint is one of the few (only?) FW companies that understands what it is to have to manage 100+ firewalls, and their concept of a "management console" is outstanding. I won't lie and say there are no bugs in it, but hands down, nobody else comes close.
Now that they're porting it to Linux, looks like I'll be throwing ipchains out the window for home use and in some small installations. We primarily run it on Solaris, but Linux will have its place as well, I believe.
"You can never have too many elephants on your team."
See subject.
SecuRemote for linux is planned, but don't hold your breath. (I am the guy who ports FW-1 to Linux) The kernel module is essentially the same, the trouble is porting Windows-specific code of SecuRemote to Linux. Not very hard, compared to the whole port of FW-1, but very time-consuming. I am not even sure I will build a GUI for it, maybe just will go with the command line.
BS. The PIX is at least 4x as expensive and is only a packet filter with some trivial authentication applications. Also, you can absolutely install the rule base wiht FW-1 via command line..just RTFM
Those comments get real old. The only people that speak this way still believe a Firewall is the same as a packet filter.
What features does BSDi have that is lacking in Open/Free/NetBSD? I would have thought basing a firewall on OpenBSD would be a no brainer.
--
"L'IT c'est moi!"
Did it ever occur to them that OpenBSD might be a better solution?
OpenBSD is already the de facto standard free unix to use as a firewall, and checkpoint could package an entire OpenBSD/FW-1 system together and sell it as a single, ready-to-go-out-of-the-box product.
You are missing the point. Nobody is saying that you have to ditch your ipchains configuration. What this is saying is that COMPANIES that have ponied up the big dollars to run checkpoint on their NT systems (because a SUN/AIX box would be way too expensive) have an alternative that they can run that allows them to make a decision in what OS they run it on with Intel x386 architecture. This is a huge deal for people that have to support FW on NT. It is slow and unless you know your NT very well, it is hard to secure NT. I am happy to hear that you are an "OPEN SOURCE" proponent, and that is fantastic. However, realize the context with which this was intended for. I *hardly* think that you will be purchasing a checkpoint license for home anytime soon. *** Context is everything ***
you suck, and the GUI in Solaris will let you do it. You just have to know how, it's all about workstation objects and manual address x-lation rules
I also work with Checkpoint on Sun, and I'd rather see the Checkpoint GUI ported to linux, but using the existing kernel firewall code. For high volume
commercial applications, it's starting to look like dedicated PIX hardware is the answer only because checkpoint has a 50,000 connection limit.
Do we know what the connection limit in Linuxs native firewall is?
void this_is_a_stack_issue(){this_is_a_stack_issue();}
i purchased checkpoint fw-1 as what i thought would be a quick, cheap and easy (according to the docs) firewall to set up for my site at work. i tried to install it on an NT box but that install failed ever time and tech support is not available unless you purchase it (remember i was trying to do this cheaply and so checkpoint said sorry no help). i thought tech support should at least be available if it wouldn't install (new NT installation, new partition, etc.) I finally gave up on the NT version and installed in for Solaris X86. That went much smoother and everything was flying along till...
i purchased the 25 user lic. version as i only needed to protect a few machines connected to the internet but the problem is that i have a complete subnet with ip's ranging from 0-255 (although less than 25 total). Checkpoint FW-1 said i had too many machines and therefore wouldn't run. I thought it was pretty stupid that it only checked for the highest and the lowest ip and took the difference as the total number of ip's being protected rather than the keeping track of the actually ip's that tried to get routed.
Checkpoint came out with a new revision (bug fixes) just after i purchased it and they told me i would have to purchase the bug fixes as i didn't buy tech support. i finally got through to some manager level person who told me that i was exactly right and i shouldn't have to pay for bug fixes and that i would be sent the update and the someone from tech support would be conacting me and would talk me through any problems i had. i never got the update but the tech support guy did call and was very helpful. he said i could fix my problem by changing all my ip's to be sequential and that it would "probably" work.
linux moto is something like "do it yourself" if i remember right. at this point i repatitioned the disc, put in my favorite linux distro, read the ip-chains and firewalling HOW-TO's and within a few hours had my firewall working like a champ. I can't say that Checkpoint FW-1 is a bad product overall, it is probably very good for large sites as the firewalls can work together for multiple gateways and all the VPN stuff but when it came down to making it happen for me, linux was the right answer. my moral for this story would have to be "never trust the easy way."
Also this was the first linux box i was able to sneak into work, other are slowly making it in now and replacing a few our older Sun workstations. The boss loves linux now.
So too get back on topic, Checkpoint FW-1 for linux could be a very good thing for a lot of companies who need some of its features but linux with ipchains will probably work for more than 98% of the site out there, IMHO.
My big question is this:
I'm pretty sure they're gonna have the firewall be a kernel module. What kind of license can they apply to it? I'm not sure that you can distribute kernel modules without some kind of GPL.
-earl
Well I give them a high five, way to go!
I hadnt even thought of a GUI. I dont put X on my servers, just workstations, so everything server related in my brain is text. I can see where a GUI would help some people. Guess I was just flying on autopilot :)
We currently use Firewall-1 and VPN at work and if I want to connect to our system via my @Home connection, I have to use Windoze. So the big question is, will I be able to connect to our system from Linux? It'll make my Winframe connection to our system complete! :)
"Klaatu, verada, necktie!" -Ash
Progressive systems makes a firewall/VPN, that is ICSA certified.
http://www.progressive-systems.com/pro ducts/One word: VPN (And maybe all other IP tools, but VPN is the thing there..
Nope. And they aren't dropping NT either. In one Asian country, NT clients comprised about 50% of all registered FW-1 users. Solaris is about 45%. My insider friend told me this news about 3 weeks ago. The product will be released 1st quarter of next year.
why the heck i need some lame commercial firewall? as if linux was hackable (yeah right)
even so, i have better OPEN SOURCE tools like ipchains etc.
so gauntlet you take product and shove up your ass! we only need OPEN SOURCE, no propietary garbage...
You can install it... But try and edit one from the command line without going nuts. Go ahead, just try.
I'm a frustrated firewall-1 admin who looks after firewall-1 running on a Solaris box at work. If the Linux port fixes two quirks that I'm forcced to endure under Solaris then I, for one, will be a real fan.
.. aarghh!
..
..
Quick one is that I'm forced to administer my Solaris firewall from a Windows box since the Solaris X windows gui doesn't allow me to network address translate a packet's source and destination IP addresses at the same time. This is a complete show-stopper and the only reason I *have* to have a PC at my desk
Quirk two is that firewall-1 works in partnership with Unix's normal IP routing mechanisms to move packets around. Solaris doesn't support full CIDR routing, and Sun seems to have no interest in changing this. And what Sun doesn't want to happen, doesn't. Of course, Linux gives you the freedom to do stuff you need - there's no gatekeeper to the source code who says "No!" - and I'd be happy to wager that it has no such shortcomings. Now, I may not get to switch to Linux where I work, but if Sun find themselves losing sales to a technically superior OS(!) who knows, maybe they'll finally get their fingers out and fix Solaris
Watch out for that pemguim, Sun
Checkpoint's GUI is terrible - the win95/NT GUI client would freeze up and bomb on constantly. Another reason why it's better to manage stuff like that from the command line.
but a nice feature for knowable intruders to penetrate these firewalls without getting burned.
Sorry to say that www.diligence.co.uk is non longer online. Search the bugtrac archives.
Personally, I would prefer to rely on a firewall which is available in source code. Why 'poison'
my setup where there are such nice things as
ipchains?
I believe that all the people who stated they would just stick with IP chains are 100% correct to do so because they obviously do not have an enterprise network to protect. People who run FW-1 are big businesses. Anyone that would say that IP chains would work for say an international bank has never worked with that scale of network.
As far as the why not BSD posts. CP FW-1 does run on BSD - Its called Knokia IP440. Although they do not sell the BSD code alone the Knokia IP440s do run BSD. I would be more willing to install CP FW-1 on LINUX than CP FW-1 on BSD.
Check Point has 90% of the market share for commercial firewall products. The reason is because of the superior product they produce. Statefull Inspection, interoperable VPN, modular design and proven track record are just a few reasons Check Point is the predominant firewall on the market.
Now as to how this effects LINUX, as a whole is drastic. Big companies, under the advice of their knowledgle technical staff will start using CP FW-1 on Linux. Finally a product that puts LINUX in the spotlight were it can really shine. LINUX makes a much better server than a client any day and we should all support LINUX as a server platform because doing so will ensure the future of it.
See http://www.phoneboy.com/fw1/faq/0289.html for information on how to resolve this issue.
For quirk one, get a motif license feature, use the motif GUI and be happy.
For quirk two, upgrade to Solaris 2.6 and be happy. (Check with your reseller if you're still
on FW-1 v3.0b as there are some gotchas...)
Over the last while there have been a huge number of reports of commercial software packages being released for Linux. I wonder if people are soon going to forget about all the free software that is avialable too.
Sooner or later someone is going to figure out a way to overlay a commercial API on top of Linux, and everyone is going to need to buy that package in order to run their favorite applications.
Maybe Microsoft will do it--they could make a commercial Win32 available for Linux and make us all pay for explorer (after grinding WINE and Netscape into the dust, of course).
Competition is great for linux. My only question is - what features are they going to have that ipchains doesn't? I mean, we already have solid firewall support under linux - they're going to have a hard time selling a commercial product over a free one to the community without some serious features backing it up.
--
This is excellent, I work with Checkpoint Firewalls, and this proves to be a very good things for a number of reasons. Currently we have our firewalls deployed on Sun hardware (and solaris of course). But one of the reasons I do not like our solution is that I am not as familiar with debugging the OS issues of solaris. With a Linux port of CheckPoint, that means cheaper solutions (for those sites with minimal traffic) and still inter-operability with the current production firewalls. (For me) it would also offer more of a comfort level with the hardware/OS, in terms of tracking down problems.
A commercial entity can license and use patented technology which is not permitted in the Linux kernel or free software. There are a number of patents floating around in the firewall field.
Yes, I've read the paper by Schneier. IIRC, they claimed that the bug is in the Microsoft implementation of PPTP, not in PPTP itself. It's possible that the freeware implementations of it don't have the problem, though in what combinations with Windows clients or server I can't guess. In particular, I don't know whether the server implementation has to reproduce Microsoft's security bugs in order to be compatible with Windows clients.
Bet it will...
I was in a checkpoint partner meeting recently and several people said that they wanted the SecuRemote client more than the FW/VPN-1 stuff. Reply was that they couldn't comment on it, but that its a definite possibility. That mean anything to you :)
We always need "another one", because more is better
1. More competition for me (random developer of product xyz) encourages me to improve my product. That helps me, and my competitor (in the same way), and most importantly the users.
2. More competition for me encourages me to lower my price, if I want people to use my product. But wait, what if my product is free? Price is but one barrier to the potential user of a product, others are ease of use, maintenance, installation, auxiliary required resources (a computer), and the list goes on. I will be encouraged to lower those barriers, and that is good.
3. Moving NT products to Linux helps to move NT users to Linux. More Linux users is a good thing. Fewer NT users is a good thing.
4. Moving NT products to Linux raises awareness of Linux as a real viable useful good thing in managers' eyes (and others who hold those all important purse strings).
Ever heard the phrase a rising tide lifts all boats ?
The Autonomous Cow. Moo.
Pros and cons here and everyone disagrees. It has a very well-known name as well, the GUI is awesome (no mention if this is ported, as the Solaris X86 one didn't have the GUI ported...), plus a lot of 3rd party products (OPSEC) interface with it. With something like Checkpoint/MetaInfo's Meta-IP, you can use NDS or domain logons to control access to the Internet as well.