[ale] OT: Firewall purchase

David Hamm ale at spinnerdog.com
Tue Jul 6 21:36:40 EDT 2004


> I've been locked into situations
> before using "smart" hardware. It is an unsatisfying experience being
> tasked with fitting the square peg into the round hole.
Me too.  That's probably why I'm so attracted to the cheap stuff.  It has much 
less gravitational resistance to bottom of a trash can 6 months later when a 
new fangled one comes out.

> Yep. I have a 12 year old who knows how to use a boot floppy with Fedora
> Core 2 and a series of kickstart files I've been modifying over time.
> Beats me having to "cut my own grass".  :)
Hmmmm... Knows kickstart installs and mows grass.  That's a strong resume.    
Is he finacially motivated? 


On Tuesday 06 July 2004 02:19 pm, James P. Kinney III wrote:
> On Mon, 2004-07-05 at 23:16, Christopher Fowler wrote:
> > http://www.hotbrick.com/vpn1200.html
> >
> > Try that one out.
> >
> > I know I'll draw flames bit I tend to see two mindsets in this list
> > group.
> >
> > The first one is those who want to reinvent the wheel to learn the
> > internals. The others are those who value their money far more than their
> > time.
>
> That's one way to look at it. I usually wind up in the "reinvent the
> wheel" camp as I want to _know_ what is going on with what I support. In
> reality, I don't reinvent the wheel, though. I do what Linux is based. I
> start from the work of giants before me and tailor a solution to my
> clients needs. Most of the time the "standard" solutions are just fine.
> Over time, however, all of the standard solutions turn into custom
> solutions as the clients needs change. I've been locked into situations
> before using "smart" hardware. It is an unsatisfying experience being
> tasked with fitting the square peg into the round hole.
>
> > When you start doing consultgin you realize that your time could
> > be valuable.  You start doing crazy stuff like paying other people
> > to cut your grass.
>
> Yep. I have a 12 year old who knows how to use a boot floppy with Fedora
> Core 2 and a series of kickstart files I've been modifying over time.
> Beats me having to "cut my own grass".  :)
>
> > On Mon, Jul 05, 2004 at 11:01:07PM -0400, David Hamm wrote:
> > > Chris,
> > >
> > > > Sub $100 is a good target but might not have all the features.
> > >
> > > Your right and that's why I posed the question to the group.  The unit
> > > I am considering is this one.
> > >
> > > http://www.netgear.com/products/details/FVL328.php?view=sb
> > >
> > > It sells for around $400.00 but doesn't support OSPF.  I was hoping
> > > someone on the list had experience some other vendor and could suggest
> > > a firewall that did support OSPF  Recently I installed a layer 3 switch
> > > from D-Link the price was much less than expected, it worked great and
> > > was easy to set up.  I'd hoped to get a simlar experience from on this
> > > firewall
> > >
> > > Thanks for your suggestions.  I seem to remember something about a
> > > "hot? brick" firewall too.
> > >
> > > On Monday 05 July 2004 09:41 pm, Christopher Fowler wrote:
> > > > Honestly though what I do at home is different that what I would
> > > > reccomend a commercail outfit.  I would never ask one of my customers
> > > > to go to BestBuy and purchase a firewall for their corporation.
> > > >
> > > > I've seen a sub $500 product that also looked good.  It was called a
> > > > Hot Brick. I believe the 12 port unit was $600 and the 6 port was
> > > > under 5.  In reality all I need for my firewall device is a Wan port
> > > > and Lan port. Cisco switches can make up for the rest.
> > > >
> > > > I have a habit of buying cheap switches from Micro Center that have
> > > > rebates. For me that is okay.  I have many on the network and it
> > > > seems that they just do not like to work very well together.  I have
> > > > to place my laptop on an old 10mb hub because SMB traffic fails on
> > > > these switches. Everything else works great.  It could be Zinc
> > > > Whiskers or the fact these are cheap products that are geared for the
> > > > end user at home.
> > > >
> > > > On Mon, Jul 05, 2004 at 05:36:16PM -0400, David Hamm wrote:
> > > > > On Monday 05 July 2004 11:13 am, James P. Kinney III wrote:
> > > > > > There is a series of firewall products whose name brand escapes
> > > > > > me (search on slashdot) that has a backdoor password that was
> > > > > > embedded. The patch was a flash upgrade that turned off the
> > > > > > password use from the outside connection. Further study showed
> > > > > > the power reset would revert back to the default allow remote
> > > > > > login with backdoor password.
> > > > >
> > > > > The units you are speaking of are Linksys's WRT54G and NetGear's
> > > > > WG602. They are both both wireless gateways and I didn't find
> > > > > similar problems with other products from these manufacturers.
> > > > >
> > > > > > see above. If I get the time today, I'll dig up the references I
> > > > > > was reading on this. It's about 2 months old (or so)
> > > > > >
> > > > > > The VPN in many off the shelf devices is PPtP which has numerous,
> > > > > > well known vulnerabilities. PPtP is used often as it is easy to
> > > > > > do and older M$ machines support it easily with little support
> > > > > > needed to set it up.
> > > > > >
> > > > > > When I think of a VPN, I'm thinking IPSec with pre-shared keys.
> > > > > > There are many firewall boxes that support IPSec with pre-shared
> > > > > > keys. None are in the $100 range. All require additional license
> > > > > > purchase for multiple VPN client access.
> > > > > >
> > > > > > A _real_ VPN server can act as the end point for the VPN tunnel.
> > > > > > Most of the firewall devices out there _support_ VPN by merely
> > > > > > passing IPSec datagrams freely. They do not act as a VPN server
> > > > > > or client.
> > > > >
> > > > > Take a look at this.  If you still don't believe they do IPSec we
> > > > > can have a VNC session and you can watch me set up a couple of
> > > > > tunnels if you still don't believe it.
> > > > >
> > > > > http://netgear.com/products/prod_details.php?prodID=129&view=sb
> > > > >
> > > > > > **NOTE** I don't regularly check all the stats on new network
> > > > > > hardware that does in silicon what I prefer to do in RAM. The
> > > > > > last sweep of firewall technology I did was Feb. 2004 and that
> > > > > > was of corporate firewall products that support IPSec. None of
> > > > > > those was less than $1500.
> > > > > >
> > > > > > > > All of the off-the-shelf firewall devices are generic boxes
> > > > > > > > that are cookie cutter rule sets for a limited set of
> > > > > > > > protection scenarios. The ability to ssh into the firewall
> > > > > > > > and adjust as needed is absolutely priceless.
> > > > > > >
> > > > > > > Yes, I like ssh and IPtables too but this isn't a problem for
> > > > > > > that solution.
> > > > > >
> > > > > > Then have the client spend the $100 for "The Emperors New
> > > > > > Clothes" firewall product. Make sure you get a release of
> > > > > > liability document signed before you put it in. If it is a
> > > > > > product that _you_ recommend, you WILL be the first person called
> > > > > > on a problem. I have found supporting products that I don't have
> > > > > > complete and full access to difficult at best and impossible at
> > > > > > worst. I don't like being in the position of having the
> > > > > > responsibility for a situation but not the authority to do what I
> > > > > > see is best to make the solution happen.
> > > > >
> > > > > I'm sorry, this discussion has ended as far as I am concerned.  The
> > > > > only real help I got was from Chris suggesting I look at a new
> > > > > vendor.  The above comments don't posses and characteristics of
> > > > > prductive dialog and could easily be detrimental to some.
> > > > >
> > > > > > > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > > > > > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > > > > > > Thanks for the links and suggestions but this firewall is
> > > > > > > > > for a client and building a custom firewall will not be
> > > > > > > > > price competitive; Especially if you consider the ease of
> > > > > > > > > use available for $100 from Netgear and D-Link.
> > > > > > > >
> > > > > > > > Both of those have known security issues. Neither support VPN
> > > > > > > > connections directly. Having a hardware device that has had a
> > > > > > > > backdoor password that is HARDCODED into the silicon and well
> > > > > > > > published is a waste of cash. One the power blinks, they go
> > > > > > > > back to the default backdoor settings.
> > > > > > > >
> > > > > > > > The upfront cost of buying a supportable setup is negligible
> > > > > > > > compared to the replacement cost over time of upgrading the
> > > > > > > > firewall hardware system everytime a new feature to stop a
> > > > > > > > new style of attack is not upgradeable by a flash of the
> > > > > > > > bios.
> > > > > > > >
> > > > > > > > All of the off-the-shelf firewall devices are generic boxes
> > > > > > > > that are cookie cutter rule sets for a limited set of
> > > > > > > > protection scenarios. The ability to ssh into the firewall
> > > > > > > > and adjust as needed is absolutely priceless.
> > > > > > > >
> > > > > > > > Besides, how else are you going to run Bob's ruleset?!
> > > > > > > >
> > > > > > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > > > > > David Hamm wrote:
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > I'm looking for a firewall that supports IPSEC for VPN
> > > > > > > > > > > and OSPF. Netgear has
> > > > > > > > > > > stuff I found attractive but with no OSPF support.
> > > > > > > > > > > Moving parts (ie fans and
> > > > > > > > > > > disks ), and user licensing are out. Anyone have any
> > > > > > > > > > > suggestions?
> > > > > > > > > > >
> > > > > > > > > > > Thanks.
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > Ale mailing list
> > > > > > > > > > > Ale at ale.org
> > > > > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > > > > >
> > > > > > > > > > Look at building it yourself using Slackware, Bob Toxen's
> > > > > > > > > > second edition of his book, and a Epia based fanless
> > > > > > > > > > supersmall machine with dual builtin NICs.  His book has
> > > > > > > > > > drop in iptables rules that are excellent. Once you get
> > > > > > > > > > that far then going thru the IPSEC Howto is not too
> > > > > > > > > > difficult.  Just involves a kernel module compile and
> > > > > > > > > > insertion.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Links:
> > > > > > > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > > > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > > > > > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daem
> > > > > > > > > >ons.ht ml (this is one idea)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Ale mailing list
> > > > > > > > > > Ale at ale.org
> > > > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Ale mailing list
> > > > > > > > > Ale at ale.org
> > > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> > !DSPAM:40ea18c2181221150815787!



More information about the Ale mailing list