Date: Sun, 4 Mar 2001 23:10:15 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Roelof Osinga" <roelof@eboa.com> Cc: <bcohen@bpecreative.com>, "freebsd-questions" <freebsd-questions@FreeBSD.ORG> Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <007001c0a543$53d90fa0$1401a8c0@tedm.placo.com> In-Reply-To: <3AA2E0EE.93D28EDC@eboa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Roelof Osinga >In other words, what you're saying is that it indeed comes down to a >cost-benefit analysis. Sure, the cheapest is incomparable qua functionality >to the more expensive. But that's the choice one made. > Right, but you were talking about cost-benefit as though having a cracked site is a cost that has to be considered. What I'm trying to point out is that there's no excuse for having a cracked site - ie: the cost of a cracked site is a bogus cost because el-cheapo firewalling that isn't half-bad is available to anyone, no matter how little they know about firewalling. Everything is a cost-benefit analysis, if your wanting to compare firewall-to-firewall solutions. I wasn't. While others here saw the original question as "Can I use FreeBSD to do what I want" I was actually answering the REAL question that the person was asking: namely "I need a cheap and easy-to-use Firewall that I don't have to know diddly about nor spend time configuring and can I use FreeBSD for this?" and the answer to that question, of course, is NO because as you point out, FreeBSD is not the lowest-end firewall solution out there. >There's the cost aspect again <g>. Sure, the specific device you mentioned >doesn't allow one to run apache on it. A FreeBSD host running natd >does, though. The questioner didn't want to do that - all he wanted was a cheap and easy-to-use firewall that worked better than Black Ice. > >Currently I got a client who's adamant in its use of NT. It doesn't >matter what I say or show. NT it is. > >The thing is, that whilst you know that's asking for trouble and I know >that's asking for trouble; that's what the client is asking for! > There's a time when you have to give the customer trouble if that is what they are asking for. If they truly want NT then provide it to the best that it can be done and then when it falls apart, you can tell them "OK, now that we have gone down that road and you have satisfied yourself that it's worthless, let me do it the right way for you now" >My tack here is to throw it on the licencing cost. Hooking up a SQL Server >to the 'Net is fine. Deciding - before my time ;) - on SBS 4.5 to lower >licencing cost is fine. But do know that in order to allow the whole 'Net >access to your database you *will* need a different licence! > >At least, if M$ hasn't changed its licencing once again. > Think again. SBS is licensed on the SMB connections, not the network connections, there's a difference. You can have up to 50 FILE_BASED SMB connections to stay within the license. However, HTTP or FTP or LPR or whatever network connections are unlimited and are not covered by the license. In short they don't need a more expensive license. >Once that sinks in... I'm betting they'll be more likely to see things >from my perspective. If not... well, black ice (or whatever) it is. I >did just now write a lengthy advisement on bastion hosts, amongst others, >but I can't force them to read it. So I wrote about something they wanted >to read and slipped that one in ;). > I think that you should use a different tack. The problem with SBS is simple - it's a giant integrated system, and if they make ONE mistake while administering it, they trash the server. Do you know what happens to a SBS server if you don't use the web-based GUI tools to administer it and instead use the regular NT administration tools to administer it? I'll tell you, it completely fucks it up, that's what it does. Most people that think they have to have NT want it because they think it will be easier for THEM to administer, if they can just get someone a tad more competent than themselves to set it up for them. But, I can assure you, SBS is far more complicated to administer than a regular NT server plus IIS and Exchange and SQL. I've seen SBS servers go into environments like that, with people that have itchy fingers, and within a year they are so fucked up that the only way to fix them is to write down on a piece of paper all the usernames and passwords, copy off the share data (Word, Excel, etc files) and completely reformat the hard disk and reinstall SBS from scratch, then spend days reentering all the data. Not only that but a SBS server isn't content to trash itself - all the Windows clients in the network have to have the SBS client loaded on them, which is impossible to unload cleanly and once it touches the client, the client won't work on anything other than a SBS server again. It's a perpetual money-making system for companies or individuals that are in business to install SBS, they are guarenteed at least one 40-hour server reinstallation a year, and at $100-per-hour (which is the going rate for MCSE's) that's a nice $4K. Line up about 20 companies like that which are convinced that they need to have NT, and if you schedule them right you have a nice salary for only about a half-a-year's work as long as you care to work on SBS. (or until those companies figure out that Microsoft has this cosy little system set up and dump NT) >Aaahhh, the things we gotta do <g>. > Aaahhh, the stupidity and gullibility of the Microsoft-blinded. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007001c0a543$53d90fa0$1401a8c0>