From owner-freebsd-security Mon Sep 27 17:53:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id 91B6214E9C for ; Mon, 27 Sep 1999 17:53:37 -0700 (PDT) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id SAA25099; Mon, 27 Sep 1999 18:13:11 -0700 (PDT) Date: Mon, 27 Sep 1999 18:13:10 -0700 From: Andre Gironda To: "Scott I. Remick" Cc: freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war Message-ID: <19990927181310.G24486@toaster.sun4c.net> References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>; from Scott I. Remick on Mon, Sep 27, 1999 at 08:05:24PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 27, 1999 at 08:05:24PM -0400, Scott I. Remick wrote: > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). NT cannot be used in an Internet environment (or as a bastion host) because of the serious security implications. Netbios, IIS, and WINS are very insecure and instable applications/protocols. The only way I have heard of putting an NT box on the Internet precludes the use of a Cisco PIX or equivalent firewall to handle the stateful inpection of _every_ packet, as well as re-sequencing of tcp_iss port numbers, and SYN flood and smurf protection. So, tell them that they can use MS-Proxy as long as you buy a $14k PIX and block all incoming connections (especially to Netbios and IIS). Present that as Option 1. Option 2 could be FreeBSD with ipfw. You can put other options in there as well. Present it as a paper for immediate review. If they don't understand, then your paper will cleary state and document that fact -- so when you do get attacked (and believe me, you will get attacked), you have some sort of paper trail and migration plan. dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message