From owner-freebsd-questions Sun Mar 4 16:42:34 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id 2943B37B718 for ; Sun, 4 Mar 2001 16:42:30 -0800 (PST) (envelope-from roelof@eboa.com) Received: from eboa.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id BAA62797; Mon, 5 Mar 2001 01:42:22 +0100 (CET) (envelope-from roelof@eboa.com) Message-ID: <3AA2E0EE.93D28EDC@eboa.com> Date: Mon, 05 Mar 2001 01:42:22 +0100 From: Roelof Osinga Organization: eBOA - Programming the Web X-Mailer: Mozilla 4.72 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Ted Mittelstaedt Cc: bcohen@bpecreative.com, freebsd-questions Subject: Re: FreeBSD Firewall vs. Black Ice References: <002801c0a48c$c376e6a0$1401a8c0@tedm.placo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ted Mittelstaedt wrote: > > >From: Roelof Osinga [mailto:roelof@eboa.com] > > > >But that's just it, isn't it. A cost-benefit analysis. I.e. how much > >will it cost to detect and restore a cracked site versus the cost > >to make it a tad bit more harder to crack the site. > > > > No, because there's different levels of security. > > If all you want is a quick and dirty firewall, then run NAT on a $100 > LinkSys, plug that into your DSL line, and be done with it. You won't be > able to serve off webpages with the default NAT on that, nor will you be > able to run many network games (whcih can't work though NAT) but you > probably won't get cracked either - at least, not cracked in the sense of > the word that attackers are going to destroy or steal files. Not the whole truth. I mean, that's what we've got proxy servers for. Haven't done it, but using, say, the TIS firewall construction kit you ought to be able to come with some that'll serve the occasion. Like the H.329 (or something :) proxy for telephone and video conferencing. You mentioned a specific solution, one that lies at the lowest end of the spectrum. FreeBSD does not lie there. In other words, what you're saying is that it indeed comes down to a cost-benefit analysis. Sure, the cheapest is incomparable qua functionality to the more expensive. But that's the choice one made. > The truth is that most attacks these days consist of the Denial Of Service > type. Such an attack won't cost you anything because they can't get in and > destroy things, and protecting from them is simple - you just shut down > everything. Of course the attack does cost you if the loss of network > access will cost you money, but not direct costs - just loss of potential > revenue, which is speculative anyway. Which, again, brings you back to the cost/benefit matter. If you can't afford the solution to wait till it blows over, you need something else. > Where firewalling gets costly, as in sucking up your time or paying someone > else, is when you want to have your cake and eat it too - ie: you want to be > protected, but you also want to offer services or do different things, and > you also want the firewall to be invisible to you, from the inside. There's the cost aspect again . Sure, the specific device you mentioned doesn't allow one to run apache on it. A FreeBSD host running natd does, though. > Remember that Microsoft products are designed for internal corporate use, > not external Internet server production use. Internal corporate networks > are generally more friendly than the public Internet. Yeah, it bears repeating. But my point was that at times it can be used as a quick and dirty solution. So it isn't perfect. Fine. What is? The amount of perfection one applies is a result of a cost/benefit analysis. Currently I got a client who's adamant in its use of NT. It doesn't matter what I say or show. NT it is. The thing is, that whilst you know that's asking for trouble and I know that's asking for trouble; that's what the client is asking for! My tack here is to throw it on the licencing cost. Hooking up a SQL Server to the 'Net is fine. Deciding - before my time ;) - on SBS 4.5 to lower licencing cost is fine. But do know that in order to allow the whole 'Net access to your database you *will* need a different licence! At least, if M$ hasn't changed its licencing once again. Once that sinks in... I'm betting they'll be more likely to see things from my perspective. If not... well, black ice (or whatever) it is. I did just now write a lengthy advisement on bastion hosts, amongst others, but I can't force them to read it. So I wrote about something they wanted to read and slipped that one in ;). Aaahhh, the things we gotta do . Roelof -- ----------------------------------------------------------------------- EBOAź web. http://EBOA.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message