Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 15 Oct 1999 13:13:25 +0100
From:      "Joe Pepin" <joe_pepin@ins.com>
To:        <wwoods@cybcon.com>
Cc:        <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Need help in reccomending FreeBSD....
Message-ID:  <NDBBJMHAKKLLMBFNMKDDAEEFCHAA.joe_pepin@ins.com>
In-Reply-To: <Pine.LNX.4.10.9910150935530.2145-100000@maximillion.sscsinc.com>

next in thread | previous in thread | raw e-mail | index | archive | help
An approach I have used goes something like this.

(First, validate their opinions)
NT is a great OS for end users, it certainly provides enough security (etc)
for our end-users requirements.  However, this firewall application is not
part of user-space at all, and all of the extras that we pay for with NT
(such as the gui, and all of the built-in web browser stuff) really goes to
waste on a network appliance such as a firewall.

With an NT solution we need a monitor and mouse and keyboard and access to
the console for any maintenance.  With a FBSD solution, we would be able to
easily strip out any unneeded components, saving memory and such, meaning we
have to buy less of a machine, and we can boot it off of a dumb terminal,
who needs a VGA monitor for a firewall?  Also, the ability to securely
administer the box remotely is a big plus.  With only ssh running on it, we
can safely admin it from anywhere, in the middle of the night.  If we ever
decide to move the box to a colo then we'd be all set.

Sure, Unix isn't as friendly as NT and whatnot, but like I said, this isn't
user-space.  A well setup BSD firewall will require far less in terms of
security patching, and we have much better accountability for what is
actually running and what isn't. (maybe a veiled mention of the NSA key, and
a hint at how that type of thing is impossible in BSD)

NT is designed as a multi-purpose OS.  Unix easily allows us to tune our box
into a specialized firewall-only piece of equipment, without the overhead of
'Active Desktop'.

Point out that a Stable Release of FBSD need not ever be upgraded (beyond
occasional patching), and that there are plenty of production 2.X machines
out there, because there's no need to fix what isn't broken.

And when the 'support' issue comes up;

That may have been the case as little as year ago, but I can assure you that
now, today, we would have no problem finding someone with Unix expertise
that would be HAPPY to run this should I get hit by a truck.  And security
consulting firms have a great deal of experience in dealing with FBSD, OBSD
and BSDi boxen.

Now, if you actually BRING the box.  Do a ps ax, and say, there, that is
EVERYTHING this box is doing.  Every little thing.  And tell him what each
of those programs is.  Ask someone to do the same with NT.  They can get
task manager, but not even an MCSE knows what all of those executables is
doing.  Demonstrate upping an interface, downing it, changing it's address
and upping it again.  Do it a few times.  Show them how easy it is, and how
it doesn't crash.  Throw five NICs in the box and boot it, show them what it
means to live without IRQ conflicts.

Additionally, point out that with Tripwire, Snort and Swatch you can have
very effective and FREE intrusion detection.  An EXPENSIVE option in the NT
world.

Show them the output of nmap -sT -sU -f -O on an NT box and an FBSD box.

There.

HTH

And, yes, some of this is s little on the BS side, but that's the way to
play the game.

/ASBESTOS SUIT ON
I want to take a small line to say that might want to consider OpenBSD for
this, IPF is nicer IMHO, and OBSD has a working IPSEC implementation which
could possibly be a big selling point.
/ASBESTOS SUIT OFF

Sincerely,
Joe Pepin

~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
Joe Pepin
Network Systems Engineer
Security Practice
Lucent Technologies NetCare Professional Services
http://www.lucent.com/NetCare
The views/opinions expressed above are not
necessarily those of my employer, but they
probably should be.
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=


> At 2:30PM (West Coast Time) I am going to a meeting at
> work with the Head of Computer Security, 2 NT Admins and two people in
charge of the project I am working on. I am wanting to propose, that instead
of useing a
> Microsoft Firewall solution, we use a FreeBSD box as a firewall solution.
This is not for mission critical info, so I feel I have a good chance of
getting this. I also have lined up the 2nd in charge of our *nix dept to
help me set up and maintian (I can do it, but it always looks better to have
a "higher up" to validate you) the firewalls.
>
> What I would like from the list, is some REAL WORLD valid reason why
FreeBSD should be used over a MS firewall solution.
>
> We are a MS shop, no doubt about that, so this will be an uphill battle,
but I believe that with the right info, I can get FreeBSD as the firewall.
Aside from the fact that FreeBSD will cost less to set up, will allow us to
use that old P100 we have put on the shelf
> and will cost less to maintain.....can you people supply me with some more
valid reasons to go with FreeBSD over MS?
>
> And, yes, I know ftp.cdrom.com and yahoo.com all use FreeBSD, as well as
MS Hotmail service, but I am looking for some corporate types out there who
had to convince their bosses that FreeBSD was a better choice to help me on
this.
>
> Thanks,
>
> Bill
>
> William
>
***************************************************************************
>
> It's time for E*TRADE (SM)
> Get your free @etrademail.com address at http://www.etrade.com
>
>
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBJMHAKKLLMBFNMKDDAEEFCHAA.joe_pepin>