[ale] OT: Firewall purchase
David Hamm
ale at spinnerdog.com
Mon Jul 5 23:02:55 EDT 2004
Chris,
> Sub $100 is a good target but might not have all the features.
Your right and that's why I posed the question to the group. The unit I am
considering is this one.
http://www.netgear.com/products/details/FVL328.php?view=sb
It sells for around $400.00 but doesn't support OSPF. I was hoping someone on
the list had experience some other vendor and could suggest a firewall that
did support OSPF Recently I installed a layer 3 switch from D-Link the price
was much less than expected, it worked great and was easy to set up. I'd
hoped to get a simlar experience from on this firewall
Thanks for your suggestions. I seem to remember something about a "hot?
brick" firewall too.
On Monday 05 July 2004 09:41 pm, Christopher Fowler wrote:
> Honestly though what I do at home is different that what I would
> reccomend a commercail outfit. I would never ask one of my customers to
> go to BestBuy and purchase a firewall for their corporation.
>
> I've seen a sub $500 product that also looked good. It was called a Hot
> Brick. I believe the 12 port unit was $600 and the 6 port was under 5. In
> reality all I need for my firewall device is a Wan port and Lan port.
> Cisco switches can make up for the rest.
>
> I have a habit of buying cheap switches from Micro Center that have
> rebates. For me that is okay. I have many on the network and it seems that
> they just do not like to work very well together. I have to place my
> laptop on an old 10mb hub because SMB traffic fails on these switches.
> Everything else works great. It could be Zinc Whiskers or the fact these
> are cheap products that are geared for the end user at home.
>
> On Mon, Jul 05, 2004 at 05:36:16PM -0400, David Hamm wrote:
> > On Monday 05 July 2004 11:13 am, James P. Kinney III wrote:
> > > There is a series of firewall products whose name brand escapes me
> > > (search on slashdot) that has a backdoor password that was embedded.
> > > The patch was a flash upgrade that turned off the password use from the
> > > outside connection. Further study showed the power reset would revert
> > > back to the default allow remote login with backdoor password.
> >
> > The units you are speaking of are Linksys's WRT54G and NetGear's WG602.
> > They are both both wireless gateways and I didn't find similar problems
> > with other products from these manufacturers.
> >
> > > see above. If I get the time today, I'll dig up the references I was
> > > reading on this. It's about 2 months old (or so)
> > >
> > > The VPN in many off the shelf devices is PPtP which has numerous, well
> > > known vulnerabilities. PPtP is used often as it is easy to do and older
> > > M$ machines support it easily with little support needed to set it up.
> > >
> > > When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> > > are many firewall boxes that support IPSec with pre-shared keys. None
> > > are in the $100 range. All require additional license purchase for
> > > multiple VPN client access.
> > >
> > > A _real_ VPN server can act as the end point for the VPN tunnel. Most
> > > of the firewall devices out there _support_ VPN by merely passing IPSec
> > > datagrams freely. They do not act as a VPN server or client.
> >
> > Take a look at this. If you still don't believe they do IPSec we can
> > have a VNC session and you can watch me set up a couple of tunnels if you
> > still don't believe it.
> >
> > http://netgear.com/products/prod_details.php?prodID=129&view=sb
> >
> > > **NOTE** I don't regularly check all the stats on new network hardware
> > > that does in silicon what I prefer to do in RAM. The last sweep of
> > > firewall technology I did was Feb. 2004 and that was of corporate
> > > firewall products that support IPSec. None of those was less than
> > > $1500.
> > >
> > > > > All of the off-the-shelf firewall devices are generic boxes that
> > > > > are cookie cutter rule sets for a limited set of protection
> > > > > scenarios. The ability to ssh into the firewall and adjust as
> > > > > needed is absolutely priceless.
> > > >
> > > > Yes, I like ssh and IPtables too but this isn't a problem for that
> > > > solution.
> > >
> > > Then have the client spend the $100 for "The Emperors New Clothes"
> > > firewall product. Make sure you get a release of liability document
> > > signed before you put it in. If it is a product that _you_ recommend,
> > > you WILL be the first person called on a problem. I have found
> > > supporting products that I don't have complete and full access to
> > > difficult at best and impossible at worst. I don't like being in the
> > > position of having the responsibility for a situation but not the
> > > authority to do what I see is best to make the solution happen.
> >
> > I'm sorry, this discussion has ended as far as I am concerned. The only
> > real help I got was from Chris suggesting I look at a new vendor. The
> > above comments don't posses and characteristics of prductive dialog and
> > could easily be detrimental to some.
> >
> > > > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > > > Thanks for the links and suggestions but this firewall is for a
> > > > > > client and building a custom firewall will not be price
> > > > > > competitive; Especially if you consider the ease of use available
> > > > > > for $100 from Netgear and D-Link.
> > > > >
> > > > > Both of those have known security issues. Neither support VPN
> > > > > connections directly. Having a hardware device that has had a
> > > > > backdoor password that is HARDCODED into the silicon and well
> > > > > published is a waste of cash. One the power blinks, they go back to
> > > > > the default backdoor settings.
> > > > >
> > > > > The upfront cost of buying a supportable setup is negligible
> > > > > compared to the replacement cost over time of upgrading the
> > > > > firewall hardware system everytime a new feature to stop a new
> > > > > style of attack is not upgradeable by a flash of the bios.
> > > > >
> > > > > All of the off-the-shelf firewall devices are generic boxes that
> > > > > are cookie cutter rule sets for a limited set of protection
> > > > > scenarios. The ability to ssh into the firewall and adjust as
> > > > > needed is absolutely priceless.
> > > > >
> > > > > Besides, how else are you going to run Bob's ruleset?!
> > > > >
> > > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > > David Hamm wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I'm looking for a firewall that supports IPSEC for VPN and
> > > > > > > > OSPF. Netgear has
> > > > > > > > stuff I found attractive but with no OSPF support. Moving
> > > > > > > > parts (ie fans and
> > > > > > > > disks ), and user licensing are out. Anyone have any
> > > > > > > > suggestions?
> > > > > > > >
> > > > > > > > Thanks.
> > > > > > > > _______________________________________________
> > > > > > > > Ale mailing list
> > > > > > > > Ale at ale.org
> > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > >
> > > > > > > Look at building it yourself using Slackware, Bob Toxen's
> > > > > > > second edition of his book, and a Epia based fanless supersmall
> > > > > > > machine with dual builtin NICs. His book has drop in iptables
> > > > > > > rules that are excellent. Once you get that far then going thru
> > > > > > > the IPSEC Howto is not too difficult. Just involves a kernel
> > > > > > > module compile and insertion.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Links:
> > > > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.ht
> > > > > > >ml (this is one idea)
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Ale mailing list
> > > > > > > Ale at ale.org
> > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > >
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > > >
> > > > !DSPAM:40e8cd85313746117867552!
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list