From owner-freebsd-security  Mon Sep 27 18: 4:56 1999
Delivered-To: freebsd-security@freebsd.org
Received: from vasquez.zip.com.au (vasquez.zip.com.au [203.12.97.41])
	by hub.freebsd.org (Postfix) with ESMTP id 7395414A2D
	for <freebsd-security@FreeBSD.ORG>; Mon, 27 Sep 1999 18:04:49 -0700 (PDT)
	(envelope-from ncb@zip.com.au)
Received: from zipperii.zip.com.au (ncb@zipperii.zip.com.au [203.12.97.87])
	by vasquez.zip.com.au (8.9.2/8.9.1) with ESMTP id KAA28563;
	Tue, 28 Sep 1999 10:49:25 +1000 (EST)
Date: Tue, 28 Sep 1999 11:05:36 +1000 (EST)
From: Nicholas Brawn <ncb@zip.com.au>
To: "Scott I. Remick" <scott@computeralt.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Help me win the MS-Proxy/ipfw war
In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>
Message-ID: <Pine.LNX.4.10.9909281045040.4893-100000@zipperii.zip.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 27 Sep 1999, Scott I. Remick wrote:

> Any advice to a small-time network admin for a small (32 employees) company 
> that is stuck in the MS_WAY = ONLY_WAY mindset?  We are overdue for a 
> firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for 
> FreeBSD/ipfw instead.  We already have a FreeBSD server managing various 
> tasks (and has done them VERY well, and doesn't crash), so this isn't 
> totally new (ipfw is but I've got books on order and will be reading up).
> 

I recently migrated one network from using a permanent ppp connection
with a wintel machine running wingate to a freebsd system running a
combination of tis fwtk and ipfw.

As I can assure you, the performance and reliability of the connection,
not to mention the security, is quite impressive (comparitively speaking).

In terms of whether such a setup will suit your environment, you really
need to outline what it is your system will need to be able to do. This
will help you identify what you will need to provide that functionality

The reality is that whatever solution you go for, will end up sitting in
the corner being maintained on a fairly infrequent basis - so long as it
does its job. The argument that "we sell it therefore we must use it" is a
valid one. But you don't "tinker" or "practice" on a production machine
running as a gateway. If they sincerely want to get MS Proxy in use
internally, then give them a development box to play with.


My $0.02.

Cheers,
Nick

--
Email: ncb@zip.com.au (or) nicholas.brawn@hushmail.com
Key fingerprint = 71C5 2EA8 903B 0BC4 8EEE  9122 7349 EADC 49C1 424E



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message