From owner-freebsd-questions Tue Oct 23 0:36:23 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mip.co.za (puck.mip.co.za [209.212.106.44]) by hub.freebsd.org (Postfix) with ESMTP id A558637B403 for ; Tue, 23 Oct 2001 00:36:06 -0700 (PDT) Received: from patrick (patrick.mip.co.za [10.3.13.181]) by mip.co.za (8.9.3/8.9.3) with SMTP id JAA39589; Tue, 23 Oct 2001 09:36:07 +0200 (SAST) (envelope-from patrick@mip.co.za) From: "Patrick O'Reilly" To: "Julian Morgan" , Subject: RE: REQUEST FOR COMMENT Date: Tue, 23 Oct 2001 09:39:26 +0200 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0080_01C15BA6.9B389540" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0080_01C15BA6.9B389540 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Julian, I guess your thoughts are similar to mine... My only comment is that some salesman selling a hardware firewall has obviously done a good job of selling to the powers that be in your company! Here are some questions to throw into the next discussion on the subject: 1) Who "certified" the hardware firewall? The manufacturer? 2) How do you know that the provider will REALLY upgrade and patch that firewall regularly? 3) Who will configure the firewall's ruleset - someone who actually personally cares about the security of your business? More likely it will be a 19-year old techie who just got some "certificate of competence" in corporate network security. 4) How responsive will the supplier be if/when you want to make changes to the firewall's config or ruleset? 5) How MUCH will it all COST? And, as for security holes on 'open source', the FreeBSD project responds to and fixes security problems far faster than any hardware vendor I've met. OK, you must do the download yourself. That might take all of 10 minutes, or else use cvsup and follow -stable. And, what's more, the security issues are usually, probably 98% of the time, NOT in the firewall, but in the software running on other servers behind the firewall. I can't remember when last there was a security problem with ipf OR ipfw. On our VPN we are switching from sites using Cisco 1600 series routers with FreeBSD firewalls behind them, to using the FreeBSD firewall with an on-board Serial card connected to the line from the ISP. I can build a PC with dual-port serial card and 2 Ethernet NICs (for LAN and DMZ), with FreeBSD doing firewalling, NAT, traffic shaping (and potentially even running a transparent proxy cache using Squid or similar) for less than the cost of a single Cisco 1600 router. Go figure! Patrick. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Julian Morgan Sent: 23 October 2001 08:49 To: freebsd-questions@FreeBSD.ORG Subject: REQUEST FOR COMMENT people - I am very dissappointed here and wanted your opinions.. I have helped set up a 7 site VPN between 2 states in Australia. 4 sites in Melbourne and 3 in Sydney.. The firewalls are running FreeBSD4.3 and communicate with Cisco 827 routes on ADSL 2meg/386K... After setting all this up and starting a fresh in learning FreeBSD over the past 8 months while the system has been running, we have had some crew question the overall effectiveness of security and other issues.. As a result they believe that it is better to get some certified hardware firewall that provider upgrades patches, instead of having a Unix product which is open source and requires patches all the time, updates ontop of the usual monitoring, and dedicate a person to basically be ontop of all seven sites all the time.... So besides the ISP sucking a little - it means we are going to have to upgrade the whole VPN system - and tear out the BSD boxes and get some hardware firewall!!!!!!!! hmm yet to see the doco on this equiptment... just wondered what your thoughts were Regards Julian ---------------------------------------------------------------------------- -- Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message ------=_NextPart_000_0080_01C15BA6.9B389540 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Julian,
 
I=20 guess your thoughts are similar to mine...
 
My=20 only comment is that some salesman selling a hardware firewall has = obviously=20 done a good job of selling to the powers that be in your=20 company!
 
Here=20 are some questions to throw into the next discussion on the=20 subject:
1) Who=20 "certified" the hardware firewall?   The=20 manufacturer?
2) How=20 do you know that the provider will REALLY upgrade and patch that = firewall=20 regularly?
3) Who=20 will configure the firewall's ruleset - someone who actually personally = cares=20 about the security of your business?  More likely it will be a = 19-year old=20 techie who just got some "certificate of competence" in corporate = network=20 security.
4) How=20 responsive will the supplier be if/when you want to make changes to the=20 firewall's config or ruleset?
5) How=20 MUCH will it all COST?
 
And,=20 as for security holes on 'open source', the FreeBSD project responds to = and=20 fixes security problems far faster than any hardware vendor I've = met.  OK,=20 you must do the download yourself.  That might take all of 10 = minutes, or=20 else use cvsup and follow -stable.
 
And,=20 what's more, the security issues are usually, probably 98% of the time, = NOT in=20 the firewall, but in the software running on other servers behind the=20 firewall.  I can't remember when last there was a security problem = with ipf=20 OR ipfw.
 
On our=20 VPN we are switching from sites using Cisco 1600 series routers with = FreeBSD=20 firewalls behind them, to using the FreeBSD firewall with an on-board = Serial=20 card connected to the line from the ISP.  I can build a PC with = dual-port=20 serial card and 2 Ethernet NICs (for LAN and DMZ), with FreeBSD doing=20 firewalling, NAT, traffic shaping (and potentially even running a = transparent=20 proxy cache using Squid or similar) for less than the cost of a single = Cisco=20 1600 router.
 
Go=20 figure!
 
Patrick.
-----Original Message-----
From:=20 owner-freebsd-questions@FreeBSD.ORG=20 [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Julian = Morgan
Sent: 23 October 2001 08:49
To:=20 freebsd-questions@FreeBSD.ORG
Subject: REQUEST FOR=20 COMMENT

people - I am very dissappointed here and wanted your opinions.. = I have=20 helped set up a 7 site VPN between 2 states in Australia.
4 = sites in=20 Melbourne and 3 in Sydney.. The firewalls are running FreeBSD4.3 and=20 communicate with Cisco 827 routes on ADSL 2meg/386K...=20
After setting all this up and starting a fresh in learning = FreeBSD=20 over the past 8 months while the system has been running, we have had = some=20 crew question the overall=20
effectiveness of security and other issues.. As a result = they=20 believe that it is better to get some certified hardware firewall that = provider upgrades patches, instead of having=20
a Unix product which is open source and requires patches = all the=20 time, updates ontop of the usual monitoring, and dedicate a person to=20 basically be ontop of all seven sites all the=20
time....=20
So besides the ISP sucking a little - it means we are going = to have=20 to upgrade the whole VPN system - and tear out the BSD boxes and get = some=20 hardware firewall!!!!!!!!=20
hmm yet to see the doco on this equiptment...=20
just wondered what your thoughts were=20
Regards=20
Julian

Get your FREE download of MSN Explorer at http://explorer.msn.com
To=20 Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe=20 freebsd-questions" in the body of the message = ------=_NextPart_000_0080_01C15BA6.9B389540-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message