Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Sep 1999 18:13:10 -0700
From:      Andre Gironda <andre@sun4c.net>
To:        "Scott I. Remick" <scott@computeralt.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Help me win the MS-Proxy/ipfw war
Message-ID:  <19990927181310.G24486@toaster.sun4c.net>
In-Reply-To: <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>; from Scott I. Remick on Mon, Sep 27, 1999 at 08:05:24PM -0400
References:  <4.2.1.4.19990927195047.00d813e0@mail.computeralt.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Mon, Sep 27, 1999 at 08:05:24PM -0400, Scott I. Remick wrote:
> Any advice to a small-time network admin for a small (32 employees) company 
> that is stuck in the MS_WAY = ONLY_WAY mindset?  We are overdue for a 
> firewall but the PHB wants NT/MS-Proxy installed, while I'm arguing for 
> FreeBSD/ipfw instead.  We already have a FreeBSD server managing various 
> tasks (and has done them VERY well, and doesn't crash), so this isn't 
> totally new (ipfw is but I've got books on order and will be reading up).

NT cannot be used in an Internet environment (or as a bastion host)
because of the serious security implications.  Netbios, IIS, and WINS
are very insecure and instable applications/protocols.  The only way
I have heard of putting an NT box on the Internet precludes the use
of a Cisco PIX or equivalent firewall to handle the stateful inpection
of _every_ packet, as well as re-sequencing of tcp_iss port numbers,
and SYN flood and smurf protection.

So, tell them that they can use MS-Proxy as long as you buy a $14k
PIX and block all incoming connections (especially to Netbios and IIS).
Present that as Option 1.  Option 2 could be FreeBSD with ipfw.  You
can put other options in there as well.  Present it as a paper for
immediate review.  If they don't understand, then your paper will
cleary state and document that fact -- so when you do get attacked
(and believe me, you will get attacked), you have some sort of paper
trail and migration plan.

dre



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990927181310.G24486>