[ale] Buy vs. build

Ken Price lists at nettwrek.com
Thu May 5 23:46:33 EDT 2011



David, 

You're asking a bunch of unrelated questions that would take
days explaining, so lets just concentrate on the firewall piece since
you say it's dying. The answer is simple. Buy an expensive commercial
one and be limited in functionality and tied to licenses, with the
benefit of [theoretically] quick commercial support and stability. Or,
build one from scratch that's catered to your needs and can be easily
and cheaply extended in the future ... at the substantial cost of
in-house knowledge. As another poster mentioned, look at Vyatta. Runs on
commodity hardware, gives you VRRP capabilities for failover between
devices, openvpn client/server integration, built in IDS/IPS using
snort, IPV6 capable, Webgui management interface and/or CLI, has a free
community edition and/or licensed with paid support. Best of both
worlds. 

Openvpn and AD integration? Possible? Yes. Easy and Free? No.


At the end of the day, what is your skillset and your ability? If you
can get all this working in short order and easily maintain it, document
it, and easily pass it on to another linux admin should you die or leave
the company, then by all means build your own. If you've never heard of
VRRP, CARP, or don't have a sound understand of routing and VPN's, then
let your boss by the expensive one. It's not your money and doesn't set
you up for failure. 

Regards,
Ken 

On Thu, 5 May 2011 13:36:26 -0400,
David Hillman wrote: 

> Our firewall is close to dead. My boss wants to
buy an expensive one. I think it's better to build. We had problems
extending the old firewall, plus it would give us a chance to actually
have OpenVPN on the firewall box itself. The trouble is figuring out how
to get to a working solution that's flexible and affordable. Should we
go with a trihomed solution? Should OpenVPN then listen on all
interfaces, or just the external one? How does this all fit in with our
Active Directory and DNS server? Can OpenVPN easily deal with Active
Directory? How should packets be routed from the VPN connection to the
internal network and to the DMZ? Should we go with a powerful little box
that has iptables on the hardware and something like Virtualbox +
PHPVirtualbox for everything else? By the way, we were using a Secure
Computing box before. 
> 
> The AD box can then be virtualized and
consolidated inside the one physical box. Our web box (virtualized) and
file server box would still stay separate. Then, how do we tie the
virtualized AD service back into the LAN? Through the internal network
interface via virtual switch? What are the chances of the firewall box
failing? Of course, we were thinking of a Mini-ITX board with Intel Atom
(no fans) and RAID 1 SSD drives. Are there any good books dealing with
issues like these? I can understand buying to save time, but how many
headaches do you have to put up with down the road
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110505/280a9b90/attachment.html 


More information about the Ale mailing list