Date: Tue, 23 Oct 2001 09:39:26 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Julian Morgan" <jmorganmcse@hotmail.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: REQUEST FOR COMMENT Message-ID: <NDBBIMKICMDGDMNOOCAIIEOGDLAA.patrick@mip.co.za> In-Reply-To: <F69p8eurQQtHT1DdQcp000011ad@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0080_01C15BA6.9B389540 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Julian, I guess your thoughts are similar to mine... My only comment is that some salesman selling a hardware firewall has obviously done a good job of selling to the powers that be in your company! Here are some questions to throw into the next discussion on the subject: 1) Who "certified" the hardware firewall? The manufacturer? 2) How do you know that the provider will REALLY upgrade and patch that firewall regularly? 3) Who will configure the firewall's ruleset - someone who actually personally cares about the security of your business? More likely it will be a 19-year old techie who just got some "certificate of competence" in corporate network security. 4) How responsive will the supplier be if/when you want to make changes to the firewall's config or ruleset? 5) How MUCH will it all COST? And, as for security holes on 'open source', the FreeBSD project responds to and fixes security problems far faster than any hardware vendor I've met. OK, you must do the download yourself. That might take all of 10 minutes, or else use cvsup and follow -stable. And, what's more, the security issues are usually, probably 98% of the time, NOT in the firewall, but in the software running on other servers behind the firewall. I can't remember when last there was a security problem with ipf OR ipfw. On our VPN we are switching from sites using Cisco 1600 series routers with FreeBSD firewalls behind them, to using the FreeBSD firewall with an on-board Serial card connected to the line from the ISP. I can build a PC with dual-port serial card and 2 Ethernet NICs (for LAN and DMZ), with FreeBSD doing firewalling, NAT, traffic shaping (and potentially even running a transparent proxy cache using Squid or similar) for less than the cost of a single Cisco 1600 router. Go figure! Patrick. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Julian Morgan Sent: 23 October 2001 08:49 To: freebsd-questions@FreeBSD.ORG Subject: REQUEST FOR COMMENT people - I am very dissappointed here and wanted your opinions.. I have helped set up a 7 site VPN between 2 states in Australia. 4 sites in Melbourne and 3 in Sydney.. The firewalls are running FreeBSD4.3 and communicate with Cisco 827 routes on ADSL 2meg/386K... After setting all this up and starting a fresh in learning FreeBSD over the past 8 months while the system has been running, we have had some crew question the overall effectiveness of security and other issues.. As a result they believe that it is better to get some certified hardware firewall that provider upgrades patches, instead of having a Unix product which is open source and requires patches all the time, updates ontop of the usual monitoring, and dedicate a person to basically be ontop of all seven sites all the time.... So besides the ISP sucking a little - it means we are going to have to upgrade the whole VPN system - and tear out the BSD boxes and get some hardware firewall!!!!!!!! hmm yet to see the doco on this equiptment... just wondered what your thoughts were Regards Julian ---------------------------------------------------------------------------- -- Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message ------=_NextPart_000_0080_01C15BA6.9B389540 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001>Julian,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>I=20 guess your thoughts are similar to mine...</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>My=20 only comment is that some salesman selling a hardware firewall has = obviously=20 done a good job of selling to the powers that be in your=20 company!</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>Here=20 are some questions to throw into the next discussion on the=20 subject:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>1) Who=20 "certified" the hardware firewall? The=20 manufacturer?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>2) How=20 do you know that the provider will REALLY upgrade and patch that = firewall=20 regularly?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>3) Who=20 will configure the firewall's ruleset - someone who actually personally = cares=20 about the security of your business? More likely it will be a = 19-year old=20 techie who just got some "certificate of competence" in corporate = network=20 security.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>4) How=20 responsive will the supplier be if/when you want to make changes to the=20 firewall's config or ruleset?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>5) How=20 MUCH will it all COST?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>And,=20 as for security holes on 'open source', the FreeBSD project responds to = and=20 fixes security problems far faster than any hardware vendor I've = met. OK,=20 you must do the download yourself. That might take all of 10 = minutes, or=20 else use cvsup and follow -stable.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>And,=20 what's more, the security issues are usually, probably 98% of the time, = NOT in=20 the firewall, but in the software running on other servers behind the=20 firewall. I can't remember when last there was a security problem = with ipf=20 OR ipfw.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>On our=20 VPN we are switching from sites using Cisco 1600 series routers with = FreeBSD=20 firewalls behind them, to using the FreeBSD firewall with an on-board = Serial=20 card connected to the line from the ISP. I can build a PC with = dual-port=20 serial card and 2 Ethernet NICs (for LAN and DMZ), with FreeBSD doing=20 firewalling, NAT, traffic shaping (and potentially even running a = transparent=20 proxy cache using Squid or similar) for less than the cost of a single = Cisco=20 1600 router.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D432071907-23102001>Go=20 figure!</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D432071907-23102001>Patrick.</SPAN></FONT></DIV> <BLOCKQUOTE=20 style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; PADDING-LEFT: = 5px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B>=20 owner-freebsd-questions@FreeBSD.ORG=20 [mailto:owner-freebsd-questions@FreeBSD.ORG]<B>On Behalf Of </B>Julian = Morgan<BR><B>Sent:</B> 23 October 2001 08:49<BR><B>To:</B>=20 freebsd-questions@FreeBSD.ORG<BR><B>Subject:</B> REQUEST FOR=20 COMMENT<BR><BR></DIV></FONT> <DIV> <DIV>people - I am very dissappointed here and wanted your opinions.. = I have=20 helped set up a 7 site VPN between 2 states in Australia. </DIV>4 = sites in=20 Melbourne and 3 in Sydney.. The firewalls are running FreeBSD4.3 and=20 communicate with Cisco 827 routes on ADSL 2meg/386K...=20 <DIV></DIV>After setting all this up and starting a fresh in learning = FreeBSD=20 over the past 8 months while the system has been running, we have had = some=20 crew question the overall=20 <DIV></DIV>effectiveness of security and other issues.. As a result = they=20 believe that it is better to get some certified hardware firewall that = provider upgrades patches, instead of having=20 <DIV></DIV>a Unix product which is open source and requires patches = all the=20 time, updates ontop of the usual monitoring, and dedicate a person to=20 basically be ontop of all seven sites all the=20 <DIV></DIV>time....=20 <DIV></DIV> <DIV></DIV>So besides the ISP sucking a little - it means we are going = to have=20 to upgrade the whole VPN system - and tear out the BSD boxes and get = some=20 hardware firewall!!!!!!!!=20 <DIV></DIV>hmm yet to see the doco on this equiptment...=20 <DIV></DIV> <DIV></DIV> <DIV></DIV>just wondered what your thoughts were=20 <DIV></DIV> <DIV></DIV> <DIV></DIV> <DIV></DIV>Regards=20 <DIV></DIV>Julian</DIV><BR clear=3Dall> <HR> Get your FREE download of MSN Explorer at <A=20 = href=3D"http://go.msn.com/bql/hmtag_itl_EN.asp">http://explorer.msn.com</= A><BR>To=20 Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe=20 freebsd-questions" in the body of the message = </BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0080_01C15BA6.9B389540-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIIEOGDLAA.patrick>