Date: Tue, 23 Oct 2001 00:51:01 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Julian Morgan" <jmorganmcse@hotmail.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: REQUEST FOR COMMENT Message-ID: <001c01c15b97$75bb8f20$1401a8c0@tedm.placo.com> In-Reply-To: <F69p8eurQQtHT1DdQcp000011ad@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Julian Morgan Sent: Monday, October 22, 2001 11:49 PM To: freebsd-questions@FreeBSD.ORG Subject: REQUEST FOR COMMENT PLEASE DON'T HTML FORMAT YOUR STUFF!! > people - I am very dissappointed here and wanted your opinions.. I have > helped set up >a 7 site VPN between 2 states in Australia. > 4 sites in Melbourne and 3 in Sydney.. The firewalls are running FreeBSD4.3 > and communicate with Cisco 827 routes on ADSL 2meg/386K... And, I assume that everything is working perfectly? > After setting all this up and starting a fresh in learning FreeBSD over the > past 8 months while the system has been running, we have had some crew > question the overall effectiveness of security and other issues.. How was the crew related to the decision makers in your organization? > As a result they believe that it is better Who exactly is "they"? The crew? The decision makers? Who? > to get some certified hardware firewall that provider upgrades patches, > instead of having a Unix product which is open source and requires patches > all the time, updates ontop of the usual monitoring, and dedicate a person > to basically be ontop of all seven sites all the time.... In short, they are saying to "outsource" the firewalling? There's a number of companies that sell these things here in the US that they call "managed firewalls" whereby you buy a hardware box and the company runs it completely remotely. > So besides the ISP sucking a little - it means we are going to have to > upgrade the whole VPN system - and tear out the BSD boxes and get some > hardware firewall!!!!!!!! If your decision makers choose to do this that is. > hmm yet to see the doco on this equiptment... > just wondered what your thoughts were > Regards > Julian Let's see - where do I start? First of all, boiled down you are saying that some group related to your organization in some fashion is telling you to spend a whole lot of money and time replacing a running system for some undefined reason with a system that may or may not work with some undefined benefits. In addition your saying that this recommendation is so powerful that your expecting to follow it. There's wheels within wheels here, and what you have described is not a technical problem, it's a political problem. Your asking for comments from a technical forum. There's a disconnect here. Now, in these kinds of political issues, coming back with a bunch of technical reasons to support your side is the most futile thing that you can do, because the people you are fighting have already defined the debate in a much more palatable non-technical and digestible format, than in the technical and undigestible format that your trying to use. So if your looking for a list of technical reasons from this forum to support your side you can get them - but they will be worthless, you will lose. It's called doing everything right but still losing and it happens all the time. Now, if you supply us with more details of who is blowing who, there's people here that can assist you to craft a political response that you can use to effectively fight a political action. But, you haven't supplied squat. All we can do is make some general recommendations. Here's mine: Anything that anyone does in a organization costs money. Any change to existing infrastructure costs a lot of money. If your organization has no money to do this then the best salesman in the world can get a triple-signed contract from the Lord Almighty to rip your infrastructure out and replace it with all his stuff - but it doesen't matter squat, it will never happen because your organization can't pay for it. Therefore it follows that in any discussion of changing infrastructure the very first question you have to answer is who is contemplating spending the money to do it, what financial benefit are they expecting to get, and how much money do they have to play with. As early as possible you MUST quantify those figures!! It's rediculously easy for a firewall salesman to come waltzing in claiming that his service/product is going to save you a shitpile of money when: a) you don't know what your even spending now on the thing he's telling you to replace and b) the salesman isn't offering a single dollar figure that he's willing to commit to. But, once you have done your own analysis and determined that, say, the existing infrastructure costs $2K a month in operations, well then you can start holding the feet of these folks to the fire. You often find that once you start demanding they produce verifyable figures of savings that you have effectively wrecked one of their big reasons for getting the foot in the door because most of them will not want to get into this kind of discussion. Because, they know as was pointed out, that their product simply isn't going to save much money in operating expenses. So, then the next thing that comes up onto the table is the efficiency argument - ie: their stuff is better because it does more for the same buck that your spending. That is where it becomes critical to know what's needed to be done in the organization, and how your FreeBSD solution fits in better than the solution they are pushing. Following that is often the ease of use argument. Well, the key to fighting this one is two-pronged. First your own house must be in order, if you have lingering problems with your deployment then you must fix them. You also have to understand that the achilles heel of this argument is that usage is only as good as the monkey behind the wheel. It makes no difference how easy something is to run - morons will be successfully able to wreck anything through incompetence. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001c01c15b97$75bb8f20$1401a8c0>