[ale] OT: Firewall purchase

Greg runman at speedfactory.net
Mon Jul 5 12:28:08 EDT 2004


OpenBSD with PF will do all of this and more - but it does require some time
(for me anyway) to do IPSec and VPN's and fail-over and such.  OpenBSD does
not cost anything so that is the driving force for me.  It might work for
you if you can do it easily, but in your original post I know you did not
want to put too much time into it.  Might be worth a look-see to check it
out, however.

Greg

> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org]On Behalf Of James
> P. Kinney III
> Sent: Monday, July 05, 2004 11:14 AM
> To: Atlanta Linux Enthusiasts
> Subject: Re: [ale] OT: Firewall purchase
>
>
> On Sun, 2004-07-04 at 23:37, David Hamm wrote:
> > Are you suggesting that a power blink will cause the firewall
> to replace it's
> > remote access password with a default/HARDCODED password?
>
> There is a series of firewall products whose name brand escapes me
> (search on slashdot) that has a backdoor password that was embedded. The
> patch was a flash upgrade that turned off the password use from the
> outside connection. Further study showed the power reset would revert
> back to the default allow remote login with backdoor password.
>
>
> >
> > > Both of those have known security issues.
> > Last time I looked the only security issue with NetGear's
> FVS318 had to do
> > with a buffer overflow on the remote access login.  The
> overflow would cause
> > a reboot of the unit and no other side effects.  A rule that
> only permits
> > access from a couple of specific known hosts reduces exposure
> to this.  If
> > you have a link with more info please pass it along.
>
> see above. If I get the time today, I'll dig up the references I was
> reading on this. It's about 2 months old (or so)
> >
> > > Neither support VPN connections directly.
> > Huh?  I just put a VPN together a couple months ago with a pair
> of FVS318s.
> > It also worked two years ago when I tested the ability of the FVS318 to
> > connect to a Nortel 1510.  We could make the connection but the
> two units
> > couldn't negotiate a routing protocal.
>
> The VPN in many off the shelf devices is PPtP which has numerous, well
> known vulnerabilities. PPtP is used often as it is easy to do and older
> M$ machines support it easily with little support needed to set it up.
>
> When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> are many firewall boxes that support IPSec with pre-shared keys. None
> are in the $100 range. All require additional license purchase for
> multiple VPN client access.
>
> A _real_ VPN server can act as the end point for the VPN tunnel. Most of
> the firewall devices out there _support_ VPN by merely passing IPSec
> datagrams freely. They do not act as a VPN server or client.
>
> **NOTE** I don't regularly check all the stats on new network hardware
> that does in silicon what I prefer to do in RAM. The last sweep of
> firewall technology I did was Feb. 2004 and that was of corporate
> firewall products that support IPSec. None of those was less than $1500.
> >
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> > Yes, I like ssh and IPtables too but this isn't a problem for
> that solution.
>
> Then have the client spend the $100 for "The Emperors New Clothes"
> firewall product. Make sure you get a release of liability document
> signed before you put it in. If it is a product that _you_ recommend,
> you WILL be the first person called on a problem. I have found
> supporting products that I don't have complete and full access to
> difficult at best and impossible at worst. I don't like being in the
> position of having the responsibility for a situation but not the
> authority to do what I see is best to make the solution happen.
> >
> >
> >
> > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > Thanks for the links and suggestions but this firewall is
> for a client
> > > > and building a custom firewall will not be price
> competitive;  Especially
> > > > if you consider the ease of use available for $100 from Netgear and
> > > > D-Link.
> > >
> > > Both of those have known security issues. Neither support VPN
> > > connections directly. Having a hardware device that has had a backdoor
> > > password that is HARDCODED into the silicon and well published is a
> > > waste of cash. One the power blinks, they go back to the default
> > > backdoor settings.
> > >
> > > The upfront cost of buying a supportable setup is negligible
> compared to
> > > the replacement cost over time of upgrading the firewall
> hardware system
> > > everytime a new feature to stop a new style of attack is not
> upgradeable
> > > by a flash of the bios.
> > >
> > > All of the off-the-shelf firewall devices are generic boxes that are
> > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > ability to ssh into the firewall and adjust as needed is absolutely
> > > priceless.
> > >
> > > Besides, how else are you going to run Bob's ruleset?!
> > >
> > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > David Hamm wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > > Netgear has
> > > > > > stuff I found attractive but with no OSPF support.
> Moving parts (ie
> > > > > > fans and
> > > > > > disks ), and user licensing are out. Anyone have any
> suggestions?
> > > > > >
> > > > > > Thanks.
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > > edition of his book, and a Epia based fanless supersmall
> machine with
> > > > > dual builtin NICs.  His book has drop in iptables rules that are
> > > > > excellent. Once you get that far then going thru the
> IPSEC Howto is not
> > > > > too difficult.  Just involves a kernel module compile and
> insertion.
> > > > >
> > > > >
> > > > >
> > > > > Links:
> > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > >
> http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html (this
> > > > > is one idea)
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> > !DSPAM:40e8cd85313746117867552!
> --
> James P. Kinney III          \Changing the mobile computing world/
> CEO & Director of Engineering \          one Linux user         /
> Local Net Solutions,LLC        \           at a time.          /
> 770-493-8244                    \.___________________________./
> http://www.localnetsolutions.com
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>



More information about the Ale mailing list