Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Sep 1999 19:50:05 -0700 (PDT)
From:      Kris Kennaway <kris@hub.freebsd.org>
To:        "Scott I. Remick" <scott@computeralt.com>
Cc:        security@freebsd.org, advocacy@freebsd.org
Subject:   Re: Help me win the MS-Proxy/ipfw war
Message-ID:  <Pine.BSF.4.10.9909271928370.6702-100000@hub.freebsd.org>
In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Sep 1999, Scott I. Remick wrote:

> THEY (everyone but me) want MS Proxy because we're a MCSP and they want us 
> to use what we're going to sell, so that we're familiar with it (the 
> suggestion that we use FreeBSD/ipfw and sell that too seems to have fallen 
> on deaf ears).  Of course, the fact is that no one actually spends time on 
> this stuff other than me anyway, even though it's set up with the intent 
> that all techs can learn from what we have installed in-house.  That 
> argument, too, seems to not be working.  Nor the vast difference in 
> hardware requirements (what would you consider the recommended hardware for 
> a FreeBSD firewall gateway to a 128K ISDN link?).  Cost of the actual 
> software is $0 in either event, as we get to use MS software for free due 
> to our MCSP status.

This is more of an advocacy question than a security one, so I've directed
this reply there. Please remove -security from any further responses.

Giving management a concise (installation and projected ongoing) cost
breakdown of the two solutions based on prior performance of the FreeBSD
system vs. the NT one, plus supporting material like the
hotmail/yahoo/BEST/etc cases, is probably a good solution. Point out that
the system should be "set and forget", and if it's something which you
need to keep tinkering with, then it's not a good solution. Many people
have been jaded into thinking that all computers crash at least once a
day, because these are the high-profile ones, so the little UNIX box which
chugs over in the corner for a year without falling over is very easy to
forget about.

As you mentioned, it's in the best interests of the admins to have a
system which is high-maintenance, so this keeps them in a job. Management
may not like having this made clear to them or being played for fools,
especially if the admins have said it outright :-)

Hardware-wise, you really don't need much at all for a small organisation
- an old pentium would probably handle the job just fine, and certainly
the smallest new PC you can find thesedays would be overkill. Lots of
people seem to have trouble accepting this - after all, if Intel sell
Pentium III 550 chips to go in servers, that must be what you need
thesedays for a server, right? The fact that ftp.cdrom.com is a single-CPU
machine with <insert specs here> and is the world's busiest FTP server
(and is I/O limited, not CPU limited) may help your case here.

Ultimately, if they're really not listening to your expertise and you're
not likely to get any additional internal support, then vote with your
feet and find a more open-minded employee who isn't in the back pocket of
M$. On the other hand, you might like to wait a month or two for all the
problems to develop with NT so you can see if they become more receptive
:-)

I guess this is an easy position to take for companies who spend all those
dollars per year getting MSCP status (disclaimer: I don't know what sort
of money is involved), so they "might as well just use" the M$ software
they get for free as a result, because it's "obviously better" than the
other stuff they can get for free.

Good luck!

Kris

P.S. Dante (www.inet.no/dante) allegedly works well as an MS-PROXY server
(as well as SOCKS5) and is under a nice BSD license, but gethostbyname()
proxying doesn't work under FreeBSD last I checked, so this probably
doesn't help you at all :)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909271928370.6702-100000>