[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Mon Jul 5 17:38:04 2004 -->
- <!--x-from-r13: nyr ng fcvaareqbt.pbz (Rnivq Vnzz) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: Firewall purchase -->
- <li><em>date</em>: Mon Jul 5 17:38:04 2004</li>
- <li><em>from</em>: ale at spinnerdog.com (David Hamm)</li>
- <li><em>in-reply-to</em>: <<a href="msg00116.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00073.html">[email protected]</a>> <<a href="msg00104.html">[email protected]</a>> <<a href="msg00116.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] OT: Firewall purchase</li>
> There is a series of firewall products whose name brand escapes me
> (search on slashdot) that has a backdoor password that was embedded. The
> patch was a flash upgrade that turned off the password use from the
> outside connection. Further study showed the power reset would revert
> back to the default allow remote login with backdoor password.
The units you are speaking of are Linksys's WRT54G and NetGear's WG602. They
are both both wireless gateways and I didn't find similar problems with other
products from these manufacturers.
> see above. If I get the time today, I'll dig up the references I was
> reading on this. It's about 2 months old (or so)
>
> The VPN in many off the shelf devices is PPtP which has numerous, well
> known vulnerabilities. PPtP is used often as it is easy to do and older
> M$ machines support it easily with little support needed to set it up.
> When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> are many firewall boxes that support IPSec with pre-shared keys. None
> are in the $100 range. All require additional license purchase for
> multiple VPN client access.
>
> A _real_ VPN server can act as the end point for the VPN tunnel. Most of
> the firewall devices out there _support_ VPN by merely passing IPSec
> datagrams freely. They do not act as a VPN server or client.
Take a look at this. If you still don't believe they do IPSec we can have a
VNC session and you can watch me set up a couple of tunnels if you still
don't believe it.
<a rel="nofollow" href="http://netgear.com/products/prod_details.php?prodID=129&view=sb";>http://netgear.com/products/prod_details.php?prodID=129&view=sb</a>
> **NOTE** I don't regularly check all the stats on new network hardware
> that does in silicon what I prefer to do in RAM. The last sweep of
> firewall technology I did was Feb. 2004 and that was of corporate
> firewall products that support IPSec. None of those was less than $1500.
>
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> >
> > Yes, I like ssh and IPtables too but this isn't a problem for that
> > solution.
>
> Then have the client spend the $100 for "The Emperors New Clothes"
> firewall product. Make sure you get a release of liability document
> signed before you put it in. If it is a product that _you_ recommend,
> you WILL be the first person called on a problem. I have found
> supporting products that I don't have complete and full access to
> difficult at best and impossible at worst. I don't like being in the
> position of having the responsibility for a situation but not the
> authority to do what I see is best to make the solution happen.
I'm sorry, this discussion has ended as far as I am concerned. The only real
help I got was from Chris suggesting I look at a new vendor. The above
comments don't posses and characteristics of prductive dialog and could
easily be detrimental to some.
> > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > Thanks for the links and suggestions but this firewall is for a
> > > > client and building a custom firewall will not be price competitive;
> > > > Especially if you consider the ease of use available for $100 from
> > > > Netgear and D-Link.
> > >
> > > Both of those have known security issues. Neither support VPN
> > > connections directly. Having a hardware device that has had a backdoor
> > > password that is HARDCODED into the silicon and well published is a
> > > waste of cash. One the power blinks, they go back to the default
> > > backdoor settings.
> > >
> > > The upfront cost of buying a supportable setup is negligible compared
> > > to the replacement cost over time of upgrading the firewall hardware
> > > system everytime a new feature to stop a new style of attack is not
> > > upgradeable by a flash of the bios.
> > >
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> > >
> > > Besides, how else are you going to run Bob's ruleset?!
> > >
> > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > David Hamm wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > > Netgear has
> > > > > > stuff I found attractive but with no OSPF support. Moving parts
> > > > > > (ie fans and
> > > > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > > > >
> > > > > > Thanks.
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > >
> > > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > > edition of his book, and a Epia based fanless supersmall machine
> > > > > with dual builtin NICs. His book has drop in iptables rules that
> > > > > are excellent. Once you get that far then going thru the IPSEC
> > > > > Howto is not too difficult. Just involves a kernel module compile
> > > > > and insertion.
> > > > >
> > > > >
> > > > >
> > > > > Links:
> > > > > <a rel="nofollow" href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3";>http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3</a>
> > > > > <a rel="nofollow" href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html";>http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>
> > > > > <a rel="nofollow" href="http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html";>http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html</a>
> > > > > (this is one idea)
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > !DSPAM:40e8cd85313746117867552!
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00135" href="msg00135.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00156" href="msg00156.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00073" href="msg00073.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00104" href="msg00104.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00116" href="msg00116.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00127.html">[ale] Different KDE Problem</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00129.html">[ale] Firewall discussion...hardware horsepower?</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00121.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00135.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00128"><strong>Date</strong></a></li>
<li><a href="threads.html#00128"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>