Date: Mon, 27 Sep 1999 18:13:10 -0700 From: Andre Gironda <andre@sun4c.net> To: "Scott I. Remick" <scott@computeralt.com> Cc: freebsd-security@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war Message-ID: <19990927181310.G24486@toaster.sun4c.net> In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>; from Scott I. Remick on Mon, Sep 27, 1999 at 08:05:24PM -0400 References: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 27, 1999 at 08:05:24PM -0400, Scott I. Remick wrote: > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mindset? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). NT cannot be used in an Internet environment (or as a bastion host) because of the serious security implications. Netbios, IIS, and WINS are very insecure and instable applications/protocols. The only way I have heard of putting an NT box on the Internet precludes the use of a Cisco PIX or equivalent firewall to handle the stateful inpection of _every_ packet, as well as re-sequencing of tcp_iss port numbers, and SYN flood and smurf protection. So, tell them that they can use MS-Proxy as long as you buy a $14k PIX and block all incoming connections (especially to Netbios and IIS). Present that as Option 1. Option 2 could be FreeBSD with ipfw. You can put other options in there as well. Present it as a paper for immediate review. If they don't understand, then your paper will cleary state and document that fact -- so when you do get attacked (and believe me, you will get attacked), you have some sort of paper trail and migration plan. dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990927181310.G24486>