[ale] Buy vs. build

David Hillman hillmands at gmail.com
Fri May 6 20:06:56 EDT 2011


Thanks Ken, Rich, Scott, JD, Raj.  The story of how me and my coworker, Al,
fell into this is a long one.  Let's just say our main network guy took off
a few months back.  Nothing was documented about the network.  We are a
10-person marketing team with 2 developers.  I am one of two web/app
developers.  Al is the other developer.  My networking skills only includes
running Apache and Nginx at home for Web/proxy stuff and flashing my Cisco
Linksys router with dd-wrt firmware.

We eventually hope to get someone more qualified to handle the
implementation, but Al and I were voted most capable of at least
architecting a good design.  Our grand plan is use our software development
techniques, which is to read as much as we can--TCP/IP Guide, Network
Warrior, Network Flow Analysis, etc--and compile a list of designs/patterns
that should give us good performance and fantastic security.  Our
understanding of the tools is limited, but security analysis can be done
independently of the medium data has to flow through (we think).  After
that, we can at least look like more than fools in front of the actual
experts.

In the meantime, the dying firewall has been replaced by a Cisco box running
dd-wrt (VPN version). We are using the VLAN capability to implement a DMZ
and a Cisco wireless access point to do wireless stuff until we can come up
with something better.  Hopefully, in the future we can have another
firewall built that may be running pfSense or something else.

This is actually turning out to be a fun exercise.  The Network Flow
Analysis book by Michael Lucas is great.  Seeing how packets travel from
place to place is really exciting stuff.  Software development seems boring
in comparison.

On Thu, May 5, 2011 at 11:46 PM, Ken Price <lists at nettwrek.com> wrote:

> David,
>
> You're asking a bunch of unrelated questions that would take days
> explaining, so lets just concentrate on the firewall piece since you say
> it's dying.  The answer is simple.  Buy an expensive commercial one and be
> limited in functionality and tied to licenses, with the benefit of
> [theoretically] quick commercial support and stability.  Or, build one from
> scratch that's catered to your needs and can be easily and cheaply extended
> in the future ... at the substantial cost of in-house knowledge.  As another
> poster mentioned, look at Vyatta.  Runs on commodity hardware, gives you
> VRRP capabilities for failover between devices, openvpn client/server
> integration, built in IDS/IPS using snort, IPV6 capable, Webgui management
> interface and/or CLI, has a free community edition and/or licensed with paid
> support.  Best of both worlds.
>
> Openvpn and AD integration?  Possible?  Yes.  Easy and Free?  No.
>
> At the end of the day, what is your skillset and your ability?  If you can
> get all this working in short order and easily maintain it, document it, and
> easily pass it on to another linux admin should you die or leave the
> company, then by all means build your own.  If you've never heard of VRRP,
> CARP, or don't have a sound understand of routing and VPN's, then let your
> boss by the expensive one.  It's not your money and doesn't set you up for
> failure.
>
> Regards,
> Ken
>
>
>
>
>
> On Thu, 5 May 2011 13:36:26 -0400, David Hillman wrote:
>
> Our firewall is close to dead.  My boss wants to buy an expensive one.  I
> think it's better to build.  We had problems extending the old firewall,
> plus it would give us a chance to actually have OpenVPN on the firewall box
> itself.  The trouble is figuring out how to get to a working solution that's
> flexible and affordable.  Should we go with a trihomed solution?  Should
> OpenVPN then listen on all interfaces, or just the external one?  How does
> this all fit in with our Active Directory and DNS server?  Can OpenVPN
> easily deal with Active Directory?  How should packets be routed from the
> VPN connection to the internal network and to the DMZ?  Should we go with a
> powerful little box that has iptables on the hardware and something like
> Virtualbox + PHPVirtualbox for everything else?  By the way, we were using a
> Secure Computing box before.
>  The AD box can then be virtualized and consolidated inside the one
> physical box.  Our web box (virtualized) and file server box would still
> stay separate.  Then, how do we tie the virtualized AD service back into the
> LAN?  Through the internal network interface via virtual switch?  What are
> the chances of the firewall box failing?  Of course, we were thinking of a
> Mini-ITX board with Intel Atom (no fans) and RAID 1 SSD drives.  Are there
> any good books dealing with issues like these?  I can understand buying to
> save time, but how many headaches do you have to put up with down the road
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110506/d1ea55aa/attachment.html 


More information about the Ale mailing list