From owner-freebsd-security Thu Apr 24 09:40:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA15806 for security-outgoing; Thu, 24 Apr 1997 09:40:49 -0700 (PDT) Received: from sand.sentex.ca (sand.sentex.ca [206.222.77.6]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA15801; Thu, 24 Apr 1997 09:40:45 -0700 (PDT) Received: from gravel (gravel.sentex.ca [205.211.165.210]) by sand.sentex.ca (8.8.5/8.8.3) with SMTP id MAA00373; Thu, 24 Apr 1997 12:44:26 -0400 (EDT) Message-Id: <3.0.1.32.19970424124424.00b04100@sentex.net> X-Sender: mdtancsa@sentex.net X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Thu, 24 Apr 1997 12:44:24 -0400 To: Mikael Karpberg From: Mike Tancsa Subject: Re: Commercial vs built in firewall capabilities of FreeBSD Cc: freebsd-isp@freebsd.org, security@freebsd.org In-Reply-To: <199704241622.SAA16227@ocean.campus.luth.se> References: <3.0.1.32.19970424111952.00a1f1e0@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 06:22 PM 4/24/97 +0200, Mikael Karpberg wrote: >According to Mike Tancsa: >> >> After looking around a lot of the firewall sites and browsing through the >> firewall list archives, I am still not entirely clear what a commercial >> firewall costing $10K U.S. would give me over the basic firewalling >> capabilities in FreeBSD combined with sshd, NAT, proxy servers and or SOCKS >> v5... Although VPN would be a very nice feature to have to link up remote >> offices, if this is not necessary, should we reccomend to the client to go >> out and spend $10K on a commercial firewall solution as opposed to a >> FreeBSD box ? > First of all, thank you for your response. >How's "Firewall1"'s ability to analyze the traffic and such, for >example? Like, it can let outgoing UPD go out, and answers to it come >back, but nothing else. And it will look into FTP packets and snoop your >connections for port setups, and let that port connect, when it comes. >Thereby, ftp, archie, or anything else which has problems with firewalls >willwork as expected. And... you can make it filter out the ActiveX >components of web pages, etc. Plus: You get a real easy to set up, GUI >configuration thing, which will by pure eay-to-use factor make your firewall >safer, since you wont forget anything so easilly. I think the client in this case doesnt even want to let the remote offices do any sort of web browsing, and they will not be hosting any public information at the satelite offices. The firewalls will merely allow the remote offices to share data on their NT network. I want to present them with as many options as possible from the "Firewall on a shoe string budget" to the deluxo modles out there. For the lower end of the price scale, I was thinking of something like FreeBSD as the gateway with all the attandant security software, combined with SKIP (www.skip.org) to provide the VPN between the many small offices that they have. >You DO get something for you money, you really do. I'm all for FreeBSD as >a firewall, and anything else, basically. However, it's all about what your >budget is. If they have the money, I think it's problably worth it. Yes, I can see how a simplified interface goes a long way to catching potentiall dangerous misconfigurations. However, I am the type of person who does not like to see money needlessly spent. Also, I am looking at this investigation in terms of future reccomendations as well. We have many smaller customers who do not have the capital available to spend lots of money on security, but never the less should have a decent amount... Hell, even at home here... I have a little 2 node network connected to the net through my FreeBSD box. Since I installed the firewall options on it, I have been rather suprised at home many sites want to do SMB negotiations when I have been browsing the web from my NT box... (e.g. http://www.ntsecurity.net/security/ie3-4.htm), and I found this entry rather suprising the other day in my filter logs.... Apr 23 20:33:31 sand /kernel: ipfw: 6000 Deny UDP 205.211.165.210:137 204.216.27.18:137 via tun0 (thats hub.FreeBSD.ORG)... I like having a firewall at home, and I like to have as much security as possible... But of course, I dont have $10K to spend on peace of mind ;-) Thanks again for taking the time to respond... Researching this project has been most interesting! ---Mike ********************************************************************** Mike Tancsa (mike@sentex.net) * To do is to be -- Nietzsche Sentex Communications Corp, * To be is to do -- Sartre Cambridge, Ontario * Do be do be do -- Sinatra (http://www.sentex.net/~mdtancsa) *