From owner-freebsd-security Tue Sep 28 0:31:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B66ED14D8F for ; Tue, 28 Sep 1999 00:31:39 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id AAA14183; Tue, 28 Sep 1999 00:31:24 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909280731.AAA14183@gndrsh.dnsmgr.net> Subject: Re: Help me win the MS-Proxy/ipfw war In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com> from "Scott I. Remick" at "Sep 27, 1999 08:05:24 pm" To: scott@computeralt.com (Scott I. Remick) Date: Tue, 28 Sep 1999 00:31:24 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Any advice to a small-time network admin for a small (32 employees) company > that is stuck in the MS_WAY = ONLY_WAY mind set? We are overdue for a > firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for > FreeBSD/ipfw instead. We already have a FreeBSD server managing various > tasks (and has done them VERY well, and doesn't crash), so this isn't > totally new (ipfw is but I've got books on order and will be reading up). ... Do what some companies lower management/techies do when they want to do something different than upper/middle management, bring in an outside expert in the field that can wave his magic hands around in the air, explaining and detailing the advantages and disadvantages of each type of solution in a way that PHB can understand. Often an outside expert opinion that is not biased, or at least does not appear to be biased, is the best way to settle one of these arguments. If they balk at that idea, point again at the fact that they should really practice what they preach, and if the are an MCSP they do plenty of ``outside consulting'' for their customer base! It may even end up convincing the PHB that FreeBSD/ipfw is what should be preached to customers, and forgo the revenue generating stream that NT/MS-Proxy service calls brings them in favor of not having to worry about a law suite when the damn thing doesn't due the job and some customer decides it was your companies fault. [I'd make sure my product liability insurance coverage was up to snuff before selling any copies of NT/MS-Proxy to anyone...] ... > hardware requirements (what would you consider the recommended hardware for > a FreeBSD firewall gateway to a 128K ISDN link?). Ahhhh.. not much, depends on rule set length and complexity, we are running a 322 rule set on a FreeBSD based 128K ISDN to 100BaseTX router running full BGP4 dual view routing tables on a P100/32MB memory/300MB disk. You can cut the memory to 16MB if you forgo the BGP. We have also run Multi-link PPP over Bonding mode 1 (256Kb/s) with the same hardware and software configuration. > Cost of the actual > software is $0 in either event, as we get to use MS software for free due > to our MCSP status. But when you sell it to your client this is no longer $0 cost to you, and especially not to your client. Your revenue model could be higher for the FreeBSD/ipfw solution due to your $0 cost and the competing products high MSRP. > I need help, as it's me against the masses and I seem to be unable to win > them over. The best I've managed is to keep them from making the final > decision (only reason we don't have a firewall already). I'm also faced > with them wanting to move ALL mail services to the Exchange server (right > now only internal Exchange mail gets handled by it, and it routes all > Internet mail through the FreeBSD box. The Exchange server itself is > blocked from the Internet at the router) as well as move our website from > FreeBSD/Apache to NT/IIS (UGH!). Let them do it, keep your FreeBSD box up to date and ready to take over this task on a moments notice. When it blows up in their face, bail them out and be the hero. If the NET/IIS doesn't fail, well, you have some pretty good NT folks in house is about all I can say! > I wish there were more advocates on my side working here to back me up, but > alas, we are small, and it's just me, and the boss is in bed with MS it > seems. We have some networking techs who do stuff for customers, and > they're against me because 1) MS software failures give them a daily source > of billable hours, and 2) they resent the FreeBSD server because it makes > them look bad, never crashing, while their NT servers need constant > attention/reboots. That paragraph makes me want to ask just how attached to this job are you? There are lots of job openings for skilled Unix admin who know how to make this new found ``open source'' software work for all sorts of companies. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message