[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Mon Jul 5 12:28:08 2004 -->
- <!--x-from-r13: ehazna ng fcrrqsnpgbel.arg (Uert) -->
- <!--x-message-id: 000a01c462ac$e92ddb10$0a00a8c0@atlas -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: Firewall purchase -->
- <li><em>date</em>: Mon Jul 5 12:28:08 2004</li>
- <li><em>from</em>: runman at speedfactory.net (Greg)</li>
- <li><em>in-reply-to</em>: <<a href="msg00116.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] OT: Firewall purchase</li>
Greg
> -----Original Message-----
> From: ale-bounces at ale.org [<a rel="nofollow" href="mailto:ale-bounces";>mailto:ale-bounces</a> at ale.org]On Behalf Of James
> P. Kinney III
> Sent: Monday, July 05, 2004 11:14 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] OT: Firewall purchase
>
>
> On Sun, 2004-07-04 at 23:37, David Hamm wrote:
> > Are you suggesting that a power blink will cause the firewall
> to replace it's
> > remote access password with a default/HARDCODED password?
>
> There is a series of firewall products whose name brand escapes me
> (search on slashdot) that has a backdoor password that was embedded. The
> patch was a flash upgrade that turned off the password use from the
> outside connection. Further study showed the power reset would revert
> back to the default allow remote login with backdoor password.
>
>
> >
> > > Both of those have known security issues.
> > Last time I looked the only security issue with NetGear's
> FVS318 had to do
> > with a buffer overflow on the remote access login. The
> overflow would cause
> > a reboot of the unit and no other side effects. A rule that
> only permits
> > access from a couple of specific known hosts reduces exposure
> to this. If
> > you have a link with more info please pass it along.
>
> see above. If I get the time today, I'll dig up the references I was
> reading on this. It's about 2 months old (or so)
> >
> > > Neither support VPN connections directly.
> > Huh? I just put a VPN together a couple months ago with a pair
> of FVS318s.
> > It also worked two years ago when I tested the ability of the FVS318 to
> > connect to a Nortel 1510. We could make the connection but the
> two units
> > couldn't negotiate a routing protocal.
>
> The VPN in many off the shelf devices is PPtP which has numerous, well
> known vulnerabilities. PPtP is used often as it is easy to do and older
> M$ machines support it easily with little support needed to set it up.
>
> When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> are many firewall boxes that support IPSec with pre-shared keys. None
> are in the $100 range. All require additional license purchase for
> multiple VPN client access.
>
> A _real_ VPN server can act as the end point for the VPN tunnel. Most of
> the firewall devices out there _support_ VPN by merely passing IPSec
> datagrams freely. They do not act as a VPN server or client.
>
> **NOTE** I don't regularly check all the stats on new network hardware
> that does in silicon what I prefer to do in RAM. The last sweep of
> firewall technology I did was Feb. 2004 and that was of corporate
> firewall products that support IPSec. None of those was less than $1500.
> >
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> > Yes, I like ssh and IPtables too but this isn't a problem for
> that solution.
>
> Then have the client spend the $100 for "The Emperors New Clothes"
> firewall product. Make sure you get a release of liability document
> signed before you put it in. If it is a product that _you_ recommend,
> you WILL be the first person called on a problem. I have found
> supporting products that I don't have complete and full access to
> difficult at best and impossible at worst. I don't like being in the
> position of having the responsibility for a situation but not the
> authority to do what I see is best to make the solution happen.
> >
> >
> >
> > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > Thanks for the links and suggestions but this firewall is
> for a client
> > > > and building a custom firewall will not be price
> competitive; Especially
> > > > if you consider the ease of use available for $100 from Netgear and
> > > > D-Link.
> > >
> > > Both of those have known security issues. Neither support VPN
> > > connections directly. Having a hardware device that has had a backdoor
> > > password that is HARDCODED into the silicon and well published is a
> > > waste of cash. One the power blinks, they go back to the default
> > > backdoor settings.
> > >
> > > The upfront cost of buying a supportable setup is negligible
> compared to
> > > the replacement cost over time of upgrading the firewall
> hardware system
> > > everytime a new feature to stop a new style of attack is not
> upgradeable
> > > by a flash of the bios.
> > >
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> > >
> > > Besides, how else are you going to run Bob's ruleset?!
> > >
> > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > David Hamm wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > > Netgear has
> > > > > > stuff I found attractive but with no OSPF support.
> Moving parts (ie
> > > > > > fans and
> > > > > > disks ), and user licensing are out. Anyone have any
> suggestions?
> > > > > >
> > > > > > Thanks.
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > >
> > > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > > edition of his book, and a Epia based fanless supersmall
> machine with
> > > > > dual builtin NICs. His book has drop in iptables rules that are
> > > > > excellent. Once you get that far then going thru the
> IPSEC Howto is not
> > > > > too difficult. Just involves a kernel module compile and
> insertion.
> > > > >
> > > > >
> > > > >
> > > > > Links:
> > > > > <a rel="nofollow" href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3";>http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3</a>
> > > > > <a rel="nofollow" href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html";>http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>
> > > > >
> <a rel="nofollow" href="http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html";>http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html</a> (this
> > > > > is one idea)
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > >
> > > >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > !DSPAM:40e8cd85313746117867552!
> --
> James P. Kinney III \Changing the mobile computing world/
> CEO & Director of Engineering \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
> <a rel="nofollow" href="http://www.localnetsolutions.com";>http://www.localnetsolutions.com</a>
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00116" href="msg00116.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00120.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00122.html">[ale] KDE, Key settings</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00116.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00128.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00121"><strong>Date</strong></a></li>
<li><a href="threads.html#00121"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>