Date: Mon, 27 Sep 1999 19:50:05 -0700 (PDT) From: Kris Kennaway <kris@hub.freebsd.org> To: "Scott I. Remick" <scott@computeralt.com> Cc: security@freebsd.org, advocacy@freebsd.org Subject: Re: Help me win the MS-Proxy/ipfw war Message-ID: <Pine.BSF.4.10.9909271928370.6702-100000@hub.freebsd.org> In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Sep 1999, Scott I. Remick wrote: > THEY (everyone but me) want MS Proxy because we're a MCSP and they want us > to use what we're going to sell, so that we're familiar with it (the > suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen > on deaf ears). Of course, the fact is that no one actually spends time on > this stuff other than me anyway, even though it's set up with the intent > that all techs can learn from what we have installed in-house. That > argument, too, seems to not be working. Nor the vast difference in > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. This is more of an advocacy question than a security one, so I've directed this reply there. Please remove -security from any further responses. Giving management a concise (installation and projected ongoing) cost breakdown of the two solutions based on prior performance of the FreeBSD system vs. the NT one, plus supporting material like the hotmail/yahoo/BEST/etc cases, is probably a good solution. Point out that the system should be "set and forget", and if it's something which you need to keep tinkering with, then it's not a good solution. Many people have been jaded into thinking that all computers crash at least once a day, because these are the high-profile ones, so the little UNIX box which chugs over in the corner for a year without falling over is very easy to forget about. As you mentioned, it's in the best interests of the admins to have a system which is high-maintenance, so this keeps them in a job. Management may not like having this made clear to them or being played for fools, especially if the admins have said it outright :-) Hardware-wise, you really don't need much at all for a small organisation - an old pentium would probably handle the job just fine, and certainly the smallest new PC you can find thesedays would be overkill. Lots of people seem to have trouble accepting this - after all, if Intel sell Pentium III 550 chips to go in servers, that must be what you need thesedays for a server, right? The fact that ftp.cdrom.com is a single-CPU machine with <insert specs here> and is the world's busiest FTP server (and is I/O limited, not CPU limited) may help your case here. Ultimately, if they're really not listening to your expertise and you're not likely to get any additional internal support, then vote with your feet and find a more open-minded employee who isn't in the back pocket of M$. On the other hand, you might like to wait a month or two for all the problems to develop with NT so you can see if they become more receptive :-) I guess this is an easy position to take for companies who spend all those dollars per year getting MSCP status (disclaimer: I don't know what sort of money is involved), so they "might as well just use" the M$ software they get for free as a result, because it's "obviously better" than the other stuff they can get for free. Good luck! Kris P.S. Dante (www.inet.no/dante) allegedly works well as an MS-PROXY server (as well as SOCKS5) and is under a nice BSD license, but gethostbyname() proxying doesn't work under FreeBSD last I checked, so this probably doesn't help you at all :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909271928370.6702-100000>