[ale] OT: Firewall purchase

Christopher Fowler cfowler at outpostsentinel.com
Mon Jul 5 21:39:57 EDT 2004


Honestly though what I do at home is different that what I would
reccomend a commercail outfit.  I would never ask one of my customers to
go to BestBuy and purchase a firewall for their corporation.  Sub $100
is a good target but might not have all the features.

I've seen a sub $500 product that also looked good.  It was called a Hot Brick.
I believe the 12 port unit was $600 and the 6 port was under 5.  In reality all
I need for my firewall device is a Wan port and Lan port.  Cisco switches
can make up for the rest.

I have a habit of buying cheap switches from Micro Center that have rebates.
For me that is okay.  I have many on the network and it seems that they
just do not like to work very well together.  I have to place my laptop
on an old 10mb hub because SMB traffic fails on these switches.  Everything
else works great.  It could be Zinc Whiskers or the fact these are cheap 
products that are geared for the end user at home.



On Mon, Jul 05, 2004 at 05:36:16PM -0400, David Hamm wrote:
> On Monday 05 July 2004 11:13 am, James P. Kinney III wrote:
> 
> > There is a series of firewall products whose name brand escapes me
> > (search on slashdot) that has a backdoor password that was embedded. The
> > patch was a flash upgrade that turned off the password use from the
> > outside connection. Further study showed the power reset would revert
> > back to the default allow remote login with backdoor password.
> 
> The units you are speaking of are Linksys's WRT54G and NetGear's WG602.  They 
> are both both wireless gateways and I didn't find similar problems with other 
> products from these manufacturers.  
> 
> > see above. If I get the time today, I'll dig up the references I was
> > reading on this. It's about 2 months old (or so)
> >
> > The VPN in many off the shelf devices is PPtP which has numerous, well
> > known vulnerabilities. PPtP is used often as it is easy to do and older
> > M$ machines support it easily with little support needed to set it up.
> 
> > When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> > are many firewall boxes that support IPSec with pre-shared keys. None
> > are in the $100 range. All require additional license purchase for
> > multiple VPN client access.
> >
> > A _real_ VPN server can act as the end point for the VPN tunnel. Most of
> > the firewall devices out there _support_ VPN by merely passing IPSec
> > datagrams freely. They do not act as a VPN server or client.
> 
> Take a look at this.  If you still don't believe they do IPSec we can have a 
> VNC session and you can watch me set up a couple of tunnels if you still 
> don't believe it.
> 
> http://netgear.com/products/prod_details.php?prodID=129&view=sb
> 
> 
> > **NOTE** I don't regularly check all the stats on new network hardware
> > that does in silicon what I prefer to do in RAM. The last sweep of
> > firewall technology I did was Feb. 2004 and that was of corporate
> > firewall products that support IPSec. None of those was less than $1500.
> >
> > > > All of the off-the-shelf firewall devices are generic boxes that are
> > > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > > ability to ssh into the firewall and adjust as needed is absolutely
> > > > priceless.
> > >
> > > Yes, I like ssh and IPtables too but this isn't a problem for that
> > > solution.
> >
> > Then have the client spend the $100 for "The Emperors New Clothes"
> > firewall product. Make sure you get a release of liability document
> > signed before you put it in. If it is a product that _you_ recommend,
> > you WILL be the first person called on a problem. I have found
> > supporting products that I don't have complete and full access to
> > difficult at best and impossible at worst. I don't like being in the
> > position of having the responsibility for a situation but not the
> > authority to do what I see is best to make the solution happen.
> 
> I'm sorry, this discussion has ended as far as I am concerned.  The only real 
> help I got was from Chris suggesting I look at a new vendor.  The above 
> comments don't posses and characteristics of prductive dialog and could 
> easily be detrimental to some.    
> 
> 
> > > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > > Thanks for the links and suggestions but this firewall is for a
> > > > > client and building a custom firewall will not be price competitive; 
> > > > > Especially if you consider the ease of use available for $100 from
> > > > > Netgear and D-Link.
> > > >
> > > > Both of those have known security issues. Neither support VPN
> > > > connections directly. Having a hardware device that has had a backdoor
> > > > password that is HARDCODED into the silicon and well published is a
> > > > waste of cash. One the power blinks, they go back to the default
> > > > backdoor settings.
> > > >
> > > > The upfront cost of buying a supportable setup is negligible compared
> > > > to the replacement cost over time of upgrading the firewall hardware
> > > > system everytime a new feature to stop a new style of attack is not
> > > > upgradeable by a flash of the bios.
> > > >
> > > > All of the off-the-shelf firewall devices are generic boxes that are
> > > > cookie cutter rule sets for a limited set of protection scenarios. The
> > > > ability to ssh into the firewall and adjust as needed is absolutely
> > > > priceless.
> > > >
> > > > Besides, how else are you going to run Bob's ruleset?!
> > > >
> > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > David Hamm wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > I'm looking for a firewall that supports IPSEC for VPN and OSPF.
> > > > > > > Netgear has
> > > > > > > stuff I found attractive but with no OSPF support. Moving parts
> > > > > > > (ie fans and
> > > > > > > disks ), and user licensing are out. Anyone have any suggestions?
> > > > > > >
> > > > > > > Thanks.
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > >
> > > > > > Look at building it yourself using Slackware, Bob Toxen's second
> > > > > > edition of his book, and a Epia based fanless supersmall machine
> > > > > > with dual builtin NICs.  His book has drop in iptables rules that
> > > > > > are excellent. Once you get that far then going thru the IPSEC
> > > > > > Howto is not too difficult.  Just involves a kernel module compile
> > > > > > and insertion.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Links:
> > > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.html
> > > > > > (this is one idea)
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > >
> > > > > _______________________________________________
> > > > > Ale mailing list
> > > > > Ale at ale.org
> > > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > !DSPAM:40e8cd85313746117867552!
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale



More information about the Ale mailing list