Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Apr 1997 12:44:24 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Mikael Karpberg <karpen@ocean.campus.luth.se>
Cc:        freebsd-isp@freebsd.org, security@freebsd.org
Subject:   Re: Commercial vs built in firewall capabilities of FreeBSD
Message-ID:  <3.0.1.32.19970424124424.00b04100@sentex.net>
In-Reply-To: <199704241622.SAA16227@ocean.campus.luth.se>
References:  <3.0.1.32.19970424111952.00a1f1e0@sentex.net>

next in thread | previous in thread | raw e-mail | index | archive | help
At 06:22 PM 4/24/97 +0200, Mikael Karpberg wrote:
>According to Mike Tancsa:
>> 
>> After looking around a lot of the firewall sites and browsing through the
>> firewall list archives, I am still not entirely clear what a commercial
>> firewall costing $10K U.S. would give me over the basic firewalling
>> capabilities in FreeBSD combined with sshd, NAT, proxy servers and or SOCKS
>> v5...  Although VPN would be a very nice feature to have to link up remote
>> offices, if this is not necessary, should we reccomend to the client to go
>> out and spend $10K on a commercial firewall solution as opposed to a
>> FreeBSD box ?
>

First of all, thank you for your response. 


>How's "Firewall1"'s ability to analyze the traffic and such, for
>example? Like, it can let outgoing UPD go out, and answers to it come 
>back, but nothing else. And it will look into FTP packets and snoop your
>connections for port setups, and let that port connect, when it comes.
>Thereby, ftp, archie, or anything else which has problems with firewalls
>willwork as expected. And... you can make it filter out the ActiveX
>components of web pages, etc. Plus: You get a real easy to set up, GUI
>configuration thing, which will by pure eay-to-use factor make your firewall
>safer, since you wont forget anything so easilly.

I think the client in this case doesnt even want to let the remote offices
do any sort of web browsing, and they will not be hosting any public
information at the satelite offices.  The firewalls will merely allow the
remote offices to share data on their NT network.  I want to present them
with as many options as possible from the "Firewall on a shoe string
budget" to the deluxo modles out there.  For the lower end of the price
scale, I was thinking of something like FreeBSD as the gateway with all the
attandant security software, combined with SKIP (www.skip.org) to provide
the VPN between the many small offices that they have.

>You DO get something for you money, you really do. I'm all for FreeBSD as
>a firewall, and anything else, basically. However, it's all about what your
>budget is. If they have the money, I think it's problably worth it.

Yes, I can see how a simplified interface goes a long way to catching
potentiall dangerous misconfigurations.  However, I am the type of person
who does not like to see money needlessly spent.  Also, I am looking at
this investigation in terms of future reccomendations as well.  We have
many smaller customers who do not have the capital available to spend lots
of money on security, but never the less should have a decent amount...

Hell, even at home here... I have a little 2 node network connected to the
net through my FreeBSD box.  Since I installed the firewall options on it,
I have been rather suprised at home many sites want to do SMB negotiations
when I have been browsing the web from my NT box... (e.g.
http://www.ntsecurity.net/security/ie3-4.htm), and I found this entry
rather suprising the other day in my filter logs....
Apr 23 20:33:31 sand /kernel: ipfw: 6000 Deny UDP 205.211.165.210:137
204.216.27.18:137 via tun0 
(thats hub.FreeBSD.ORG)... I like having a firewall at home, and I like to
have as much security as possible... But of course, I dont have $10K to
spend on peace of mind ;-)

Thanks again for taking the time to respond... Researching this project has
been most interesting!


	---Mike
**********************************************************************
Mike Tancsa  (mike@sentex.net)           * To do is to be  -- Nietzsche
Sentex Communications Corp,              * To be is to do  -- Sartre 
Cambridge, Ontario                       * Do be do be do  -- Sinatra
(http://www.sentex.net/~mdtancsa)        *



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.1.32.19970424124424.00b04100>