[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Sun Jul 4 23:39:02 2004 -->
- <!--x-from-r13: nyr ng fcvaareqbt.pbz (Rnivq Vnzz) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: Firewall purchase -->
- <li><em>date</em>: Sun Jul 4 23:39:02 2004</li>
- <li><em>from</em>: ale at spinnerdog.com (David Hamm)</li>
- <li><em>in-reply-to</em>: <<a href="msg00098.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00073.html">[email protected]</a>> <<a href="msg00086.html">[email protected]</a>> <<a href="msg00098.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] OT: Firewall purchase</li>
> Both of those have known security issues.
Last time I looked the only security issue with NetGear's FVS318 had to do
with a buffer overflow on the remote access login. The overflow would cause
a reboot of the unit and no other side effects. A rule that only permits
access from a couple of specific known hosts reduces exposure to this. If
you have a link with more info please pass it along.
> Neither support VPN connections directly.
Huh? I just put a VPN together a couple months ago with a pair of FVS318s.
It also worked two years ago when I tested the ability of the FVS318 to
connect to a Nortel 1510. We could make the connection but the two units
couldn't negotiate a routing protocal.
> All of the off-the-shelf firewall devices are generic boxes that are
> cookie cutter rule sets for a limited set of protection scenarios. The
> ability to ssh into the firewall and adjust as needed is absolutely
> priceless.
Yes, I like ssh and IPtables too but this isn't a problem for that solution.
On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > Thanks for the links and suggestions but this firewall is for a client
> > and building a custom firewall will not be price competitive; Especially
> > if you consider the ease of use available for $100 from Netgear and
> > D-Link.
>
> Both of those have known security issues. Neither support VPN
> connections directly. Having a hardware device that has had a backdoor
> password that is HARDCODED into the silicon and well published is a
> waste of cash. One the power blinks, they go back to the default
> backdoor settings.
>
> The upfront cost of buying a supportable setup is negligible compared to
> the replacement cost over time of upgrading the firewall hardware system
> everytime a new feature to stop a new style of attack is not upgradeable
> by a flash of the bios.
>
> All of the off-the-shelf firewall devices are generic boxes that are
> cookie cutter rule sets for a limited set of protection scenarios. The
> ability to ssh into the firewall and adjust as needed is absolutely
> priceless.
>
> Besides, how else are you going to run Bob's ruleset?!
>
> > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > David Hamm wrote:
> > > > Hi,
> > > >
> > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > Netgear has
> > > > stuff I found attractive but with no OSPF support. Moving parts (ie
> > > > fans and
> > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > >
> > > > Thanks.
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > >
> > > Look at building it yourself using Slackware, Bob Toxen's second
> > > edition of his book, and a Epia based fanless supersmall machine with
> > > dual builtin NICs. His book has drop in iptables rules that are
> > > excellent. Once you get that far then going thru the IPSEC Howto is not
> > > too difficult. Just involves a kernel module compile and insertion.
> > >
> > >
> > >
> > > Links:
> > > <a rel="nofollow" href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3";>http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3</a>
> > > <a rel="nofollow" href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html";>http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>
> > > <a rel="nofollow" href="http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html";>http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html</a> (this
> > > is one idea)
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > !DSPAM:40e865ab264321449085148!
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00107" href="msg00107.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> Dow.Hurst at mindspring.com (Dow Hurst)</li></ul></li>
<li><strong><a name="00116" href="msg00116.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00073" href="msg00073.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00086" href="msg00086.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00098" href="msg00098.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00103.html">[ale] Firewall discussion...hardware horsepower?</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00106.html">[ale] OT: Win98 + Infections</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00098.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00107.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00104"><strong>Date</strong></a></li>
<li><a href="threads.html#00104"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>