[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Tue Jul 6 21:36:40 2004 -->
- <!--x-from-r13: nyr ng fcvaareqbt.pbz (Rnivq Vnzz) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] OT: Firewall purchase -->
- <li><em>date</em>: Tue Jul 6 21:36:40 2004</li>
- <li><em>from</em>: ale at spinnerdog.com (David Hamm)</li>
- <li><em>in-reply-to</em>: <<a href="msg00160.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00073.html">[email protected]</a>> <<a href="msg00139.html">[email protected]</a>> <<a href="msg00160.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] OT: Firewall purchase</li>
> Yep. I have a 12 year old who knows how to use a boot floppy with Fedora
> Core 2 and a series of kickstart files I've been modifying over time.
> Beats me having to "cut my own grass". :)
Hmmmm... Knows kickstart installs and mows grass. That's a strong resume.
Is he finacially motivated?
On Tuesday 06 July 2004 02:19 pm, James P. Kinney III wrote:
> On Mon, 2004-07-05 at 23:16, Christopher Fowler wrote:
> > <a rel="nofollow" href="http://www.hotbrick.com/vpn1200.html";>http://www.hotbrick.com/vpn1200.html</a>
> >
> > Try that one out.
> >
> > I know I'll draw flames bit I tend to see two mindsets in this list
> > group.
> >
> > The first one is those who want to reinvent the wheel to learn the
> > internals. The others are those who value their money far more than their
> > time.
>
> That's one way to look at it. I usually wind up in the "reinvent the
> wheel" camp as I want to _know_ what is going on with what I support. In
> reality, I don't reinvent the wheel, though. I do what Linux is based. I
> start from the work of giants before me and tailor a solution to my
> clients needs. Most of the time the "standard" solutions are just fine.
> Over time, however, all of the standard solutions turn into custom
> solutions as the clients needs change. I've been locked into situations
> before using "smart" hardware. It is an unsatisfying experience being
> tasked with fitting the square peg into the round hole.
>
> > When you start doing consultgin you realize that your time could
> > be valuable. You start doing crazy stuff like paying other people
> > to cut your grass.
>
> Yep. I have a 12 year old who knows how to use a boot floppy with Fedora
> Core 2 and a series of kickstart files I've been modifying over time.
> Beats me having to "cut my own grass". :)
>
> > On Mon, Jul 05, 2004 at 11:01:07PM -0400, David Hamm wrote:
> > > Chris,
> > >
> > > > Sub $100 is a good target but might not have all the features.
> > >
> > > Your right and that's why I posed the question to the group. The unit
> > > I am considering is this one.
> > >
> > > <a rel="nofollow" href="http://www.netgear.com/products/details/FVL328.php?view=sb";>http://www.netgear.com/products/details/FVL328.php?view=sb</a>
> > >
> > > It sells for around $400.00 but doesn't support OSPF. I was hoping
> > > someone on the list had experience some other vendor and could suggest
> > > a firewall that did support OSPF Recently I installed a layer 3 switch
> > > from D-Link the price was much less than expected, it worked great and
> > > was easy to set up. I'd hoped to get a simlar experience from on this
> > > firewall
> > >
> > > Thanks for your suggestions. I seem to remember something about a
> > > "hot? brick" firewall too.
> > >
> > > On Monday 05 July 2004 09:41 pm, Christopher Fowler wrote:
> > > > Honestly though what I do at home is different that what I would
> > > > reccomend a commercail outfit. I would never ask one of my customers
> > > > to go to BestBuy and purchase a firewall for their corporation.
> > > >
> > > > I've seen a sub $500 product that also looked good. It was called a
> > > > Hot Brick. I believe the 12 port unit was $600 and the 6 port was
> > > > under 5. In reality all I need for my firewall device is a Wan port
> > > > and Lan port. Cisco switches can make up for the rest.
> > > >
> > > > I have a habit of buying cheap switches from Micro Center that have
> > > > rebates. For me that is okay. I have many on the network and it
> > > > seems that they just do not like to work very well together. I have
> > > > to place my laptop on an old 10mb hub because SMB traffic fails on
> > > > these switches. Everything else works great. It could be Zinc
> > > > Whiskers or the fact these are cheap products that are geared for the
> > > > end user at home.
> > > >
> > > > On Mon, Jul 05, 2004 at 05:36:16PM -0400, David Hamm wrote:
> > > > > On Monday 05 July 2004 11:13 am, James P. Kinney III wrote:
> > > > > > There is a series of firewall products whose name brand escapes
> > > > > > me (search on slashdot) that has a backdoor password that was
> > > > > > embedded. The patch was a flash upgrade that turned off the
> > > > > > password use from the outside connection. Further study showed
> > > > > > the power reset would revert back to the default allow remote
> > > > > > login with backdoor password.
> > > > >
> > > > > The units you are speaking of are Linksys's WRT54G and NetGear's
> > > > > WG602. They are both both wireless gateways and I didn't find
> > > > > similar problems with other products from these manufacturers.
> > > > >
> > > > > > see above. If I get the time today, I'll dig up the references I
> > > > > > was reading on this. It's about 2 months old (or so)
> > > > > >
> > > > > > The VPN in many off the shelf devices is PPtP which has numerous,
> > > > > > well known vulnerabilities. PPtP is used often as it is easy to
> > > > > > do and older M$ machines support it easily with little support
> > > > > > needed to set it up.
> > > > > >
> > > > > > When I think of a VPN, I'm thinking IPSec with pre-shared keys.
> > > > > > There are many firewall boxes that support IPSec with pre-shared
> > > > > > keys. None are in the $100 range. All require additional license
> > > > > > purchase for multiple VPN client access.
> > > > > >
> > > > > > A _real_ VPN server can act as the end point for the VPN tunnel.
> > > > > > Most of the firewall devices out there _support_ VPN by merely
> > > > > > passing IPSec datagrams freely. They do not act as a VPN server
> > > > > > or client.
> > > > >
> > > > > Take a look at this. If you still don't believe they do IPSec we
> > > > > can have a VNC session and you can watch me set up a couple of
> > > > > tunnels if you still don't believe it.
> > > > >
> > > > > <a rel="nofollow" href="http://netgear.com/products/prod_details.php?prodID=129&view=sb";>http://netgear.com/products/prod_details.php?prodID=129&view=sb</a>
> > > > >
> > > > > > **NOTE** I don't regularly check all the stats on new network
> > > > > > hardware that does in silicon what I prefer to do in RAM. The
> > > > > > last sweep of firewall technology I did was Feb. 2004 and that
> > > > > > was of corporate firewall products that support IPSec. None of
> > > > > > those was less than $1500.
> > > > > >
> > > > > > > > All of the off-the-shelf firewall devices are generic boxes
> > > > > > > > that are cookie cutter rule sets for a limited set of
> > > > > > > > protection scenarios. The ability to ssh into the firewall
> > > > > > > > and adjust as needed is absolutely priceless.
> > > > > > >
> > > > > > > Yes, I like ssh and IPtables too but this isn't a problem for
> > > > > > > that solution.
> > > > > >
> > > > > > Then have the client spend the $100 for "The Emperors New
> > > > > > Clothes" firewall product. Make sure you get a release of
> > > > > > liability document signed before you put it in. If it is a
> > > > > > product that _you_ recommend, you WILL be the first person called
> > > > > > on a problem. I have found supporting products that I don't have
> > > > > > complete and full access to difficult at best and impossible at
> > > > > > worst. I don't like being in the position of having the
> > > > > > responsibility for a situation but not the authority to do what I
> > > > > > see is best to make the solution happen.
> > > > >
> > > > > I'm sorry, this discussion has ended as far as I am concerned. The
> > > > > only real help I got was from Chris suggesting I look at a new
> > > > > vendor. The above comments don't posses and characteristics of
> > > > > prductive dialog and could easily be detrimental to some.
> > > > >
> > > > > > > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > > > > > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > > > > > > Thanks for the links and suggestions but this firewall is
> > > > > > > > > for a client and building a custom firewall will not be
> > > > > > > > > price competitive; Especially if you consider the ease of
> > > > > > > > > use available for $100 from Netgear and D-Link.
> > > > > > > >
> > > > > > > > Both of those have known security issues. Neither support VPN
> > > > > > > > connections directly. Having a hardware device that has had a
> > > > > > > > backdoor password that is HARDCODED into the silicon and well
> > > > > > > > published is a waste of cash. One the power blinks, they go
> > > > > > > > back to the default backdoor settings.
> > > > > > > >
> > > > > > > > The upfront cost of buying a supportable setup is negligible
> > > > > > > > compared to the replacement cost over time of upgrading the
> > > > > > > > firewall hardware system everytime a new feature to stop a
> > > > > > > > new style of attack is not upgradeable by a flash of the
> > > > > > > > bios.
> > > > > > > >
> > > > > > > > All of the off-the-shelf firewall devices are generic boxes
> > > > > > > > that are cookie cutter rule sets for a limited set of
> > > > > > > > protection scenarios. The ability to ssh into the firewall
> > > > > > > > and adjust as needed is absolutely priceless.
> > > > > > > >
> > > > > > > > Besides, how else are you going to run Bob's ruleset?!
> > > > > > > >
> > > > > > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > > > > > David Hamm wrote:
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > I'm looking for a firewall that supports IPSEC for VPN
> > > > > > > > > > > and OSPF. Netgear has
> > > > > > > > > > > stuff I found attractive but with no OSPF support.
> > > > > > > > > > > Moving parts (ie fans and
> > > > > > > > > > > disks ), and user licensing are out. Anyone have any
> > > > > > > > > > > suggestions?
> > > > > > > > > > >
> > > > > > > > > > > Thanks.
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Ale mailing list
> > > > > > > > > > > Ale at ale.org
> > > > > > > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > > > > > > >
> > > > > > > > > > Look at building it yourself using Slackware, Bob Toxen's
> > > > > > > > > > second edition of his book, and a Epia based fanless
> > > > > > > > > > supersmall machine with dual builtin NICs. His book has
> > > > > > > > > > drop in iptables rules that are excellent. Once you get
> > > > > > > > > > that far then going thru the IPSEC Howto is not too
> > > > > > > > > > difficult. Just involves a kernel module compile and
> > > > > > > > > > insertion.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Links:
> > > > > > > > > > <a rel="nofollow" href="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3";>http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3</a>
> > > > > > > > > > <a rel="nofollow" href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html";>http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>
> > > > > > > > > > <a rel="nofollow" href="http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daem";>http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daem</a>
> > > > > > > > > >ons.ht ml (this is one idea)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Ale mailing list
> > > > > > > > > > Ale at ale.org
> > > > > > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Ale mailing list
> > > > > > > > > Ale at ale.org
> > > > > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
> > !DSPAM:40ea18c2181221150815787!
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00193" href="msg00193.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00073" href="msg00073.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> ale at spinnerdog.com (David Hamm)</li></ul></li>
<li><strong><a name="00139" href="msg00139.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
<li><strong><a name="00160" href="msg00160.html">[ale] OT: Firewall purchase</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00180.html">[ale] Sound problems in Debian 2.6 kernel</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00182.html">[ale] Sound problems in Debian 2.6 kernel</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00169.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00193.html">[ale] OT: Firewall purchase</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00181"><strong>Date</strong></a></li>
<li><a href="threads.html#00181"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>