[ale] OT: Firewall purchase

James P. Kinney III jkinney at localnetsolutions.com
Tue Jul 6 14:21:38 EDT 2004


On Mon, 2004-07-05 at 23:16, Christopher Fowler wrote:
> http://www.hotbrick.com/vpn1200.html
> 
> Try that one out.  
> 
> I know I'll draw flames bit I tend to see two mindsets in this list
> group.
> 
> The first one is those who want to reinvent the wheel to learn the internals.
> The others are those who value their money far more than their time.

That's one way to look at it. I usually wind up in the "reinvent the
wheel" camp as I want to _know_ what is going on with what I support. In
reality, I don't reinvent the wheel, though. I do what Linux is based. I
start from the work of giants before me and tailor a solution to my
clients needs. Most of the time the "standard" solutions are just fine.
Over time, however, all of the standard solutions turn into custom
solutions as the clients needs change. I've been locked into situations
before using "smart" hardware. It is an unsatisfying experience being
tasked with fitting the square peg into the round hole. 
> 
> When you start doing consultgin you realize that your time could
> be valuable.  You start doing crazy stuff like paying other people
> to cut your grass.

Yep. I have a 12 year old who knows how to use a boot floppy with Fedora
Core 2 and a series of kickstart files I've been modifying over time.
Beats me having to "cut my own grass".  :)
> 
> 
> 
> 
> On Mon, Jul 05, 2004 at 11:01:07PM -0400, David Hamm wrote:
> > Chris,
> > > Sub $100 is a good target but might not have all the features.
> > Your right and that's why I posed the question to the group.  The unit I am 
> > considering is this one.
> > 
> > http://www.netgear.com/products/details/FVL328.php?view=sb
> > 
> > It sells for around $400.00 but doesn't support OSPF.  I was hoping someone on 
> > the list had experience some other vendor and could suggest a firewall that 
> > did support OSPF  Recently I installed a layer 3 switch from D-Link the price 
> > was much less than expected, it worked great and was easy to set up.  I'd 
> > hoped to get a simlar experience from on this firewall
> > 
> > Thanks for your suggestions.  I seem to remember something about a "hot? 
> > brick" firewall too.  
> > 
> > 
> > On Monday 05 July 2004 09:41 pm, Christopher Fowler wrote:
> > > Honestly though what I do at home is different that what I would
> > > reccomend a commercail outfit.  I would never ask one of my customers to
> > > go to BestBuy and purchase a firewall for their corporation.  
> > >
> > > I've seen a sub $500 product that also looked good.  It was called a Hot
> > > Brick. I believe the 12 port unit was $600 and the 6 port was under 5.  In
> > > reality all I need for my firewall device is a Wan port and Lan port. 
> > > Cisco switches can make up for the rest.
> > >
> > > I have a habit of buying cheap switches from Micro Center that have
> > > rebates. For me that is okay.  I have many on the network and it seems that
> > > they just do not like to work very well together.  I have to place my
> > > laptop on an old 10mb hub because SMB traffic fails on these switches. 
> > > Everything else works great.  It could be Zinc Whiskers or the fact these
> > > are cheap products that are geared for the end user at home.
> > >
> > > On Mon, Jul 05, 2004 at 05:36:16PM -0400, David Hamm wrote:
> > > > On Monday 05 July 2004 11:13 am, James P. Kinney III wrote:
> > > > > There is a series of firewall products whose name brand escapes me
> > > > > (search on slashdot) that has a backdoor password that was embedded.
> > > > > The patch was a flash upgrade that turned off the password use from the
> > > > > outside connection. Further study showed the power reset would revert
> > > > > back to the default allow remote login with backdoor password.
> > > >
> > > > The units you are speaking of are Linksys's WRT54G and NetGear's WG602. 
> > > > They are both both wireless gateways and I didn't find similar problems
> > > > with other products from these manufacturers.
> > > >
> > > > > see above. If I get the time today, I'll dig up the references I was
> > > > > reading on this. It's about 2 months old (or so)
> > > > >
> > > > > The VPN in many off the shelf devices is PPtP which has numerous, well
> > > > > known vulnerabilities. PPtP is used often as it is easy to do and older
> > > > > M$ machines support it easily with little support needed to set it up.
> > > > >
> > > > > When I think of a VPN, I'm thinking IPSec with pre-shared keys. There
> > > > > are many firewall boxes that support IPSec with pre-shared keys. None
> > > > > are in the $100 range. All require additional license purchase for
> > > > > multiple VPN client access.
> > > > >
> > > > > A _real_ VPN server can act as the end point for the VPN tunnel. Most
> > > > > of the firewall devices out there _support_ VPN by merely passing IPSec
> > > > > datagrams freely. They do not act as a VPN server or client.
> > > >
> > > > Take a look at this.  If you still don't believe they do IPSec we can
> > > > have a VNC session and you can watch me set up a couple of tunnels if you
> > > > still don't believe it.
> > > >
> > > > http://netgear.com/products/prod_details.php?prodID=129&view=sb
> > > >
> > > > > **NOTE** I don't regularly check all the stats on new network hardware
> > > > > that does in silicon what I prefer to do in RAM. The last sweep of
> > > > > firewall technology I did was Feb. 2004 and that was of corporate
> > > > > firewall products that support IPSec. None of those was less than
> > > > > $1500.
> > > > >
> > > > > > > All of the off-the-shelf firewall devices are generic boxes that
> > > > > > > are cookie cutter rule sets for a limited set of protection
> > > > > > > scenarios. The ability to ssh into the firewall and adjust as
> > > > > > > needed is absolutely priceless.
> > > > > >
> > > > > > Yes, I like ssh and IPtables too but this isn't a problem for that
> > > > > > solution.
> > > > >
> > > > > Then have the client spend the $100 for "The Emperors New Clothes"
> > > > > firewall product. Make sure you get a release of liability document
> > > > > signed before you put it in. If it is a product that _you_ recommend,
> > > > > you WILL be the first person called on a problem. I have found
> > > > > supporting products that I don't have complete and full access to
> > > > > difficult at best and impossible at worst. I don't like being in the
> > > > > position of having the responsibility for a situation but not the
> > > > > authority to do what I see is best to make the solution happen.
> > > >
> > > > I'm sorry, this discussion has ended as far as I am concerned.  The only
> > > > real help I got was from Chris suggesting I look at a new vendor.  The
> > > > above comments don't posses and characteristics of prductive dialog and
> > > > could easily be detrimental to some.
> > > >
> > > > > > On Sunday 04 July 2004 08:31 pm, James P. Kinney III wrote:
> > > > > > > On Sun, 2004-07-04 at 16:15, David Hamm wrote:
> > > > > > > > Thanks for the links and suggestions but this firewall is for a
> > > > > > > > client and building a custom firewall will not be price
> > > > > > > > competitive; Especially if you consider the ease of use available
> > > > > > > > for $100 from Netgear and D-Link.
> > > > > > >
> > > > > > > Both of those have known security issues. Neither support VPN
> > > > > > > connections directly. Having a hardware device that has had a
> > > > > > > backdoor password that is HARDCODED into the silicon and well
> > > > > > > published is a waste of cash. One the power blinks, they go back to
> > > > > > > the default backdoor settings.
> > > > > > >
> > > > > > > The upfront cost of buying a supportable setup is negligible
> > > > > > > compared to the replacement cost over time of upgrading the
> > > > > > > firewall hardware system everytime a new feature to stop a new
> > > > > > > style of attack is not upgradeable by a flash of the bios.
> > > > > > >
> > > > > > > All of the off-the-shelf firewall devices are generic boxes that
> > > > > > > are cookie cutter rule sets for a limited set of protection
> > > > > > > scenarios. The ability to ssh into the firewall and adjust as
> > > > > > > needed is absolutely priceless.
> > > > > > >
> > > > > > > Besides, how else are you going to run Bob's ruleset?!
> > > > > > >
> > > > > > > > On Sunday 04 July 2004 03:40 pm, Dow Hurst wrote:
> > > > > > > > > David Hamm wrote:
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I'm looking for a firewall that supports IPSEC for VPN and
> > > > > > > > > > OSPF. Netgear has
> > > > > > > > > > stuff I found attractive but with no OSPF support. Moving
> > > > > > > > > > parts (ie fans and
> > > > > > > > > > disks ), and user licensing are out. Anyone have any
> > > > > > > > > > suggestions?
> > > > > > > > > >
> > > > > > > > > > Thanks.
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Ale mailing list
> > > > > > > > > > Ale at ale.org
> > > > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > > > >
> > > > > > > > > Look at building it yourself using Slackware, Bob Toxen's
> > > > > > > > > second edition of his book, and a Epia based fanless supersmall
> > > > > > > > > machine with dual builtin NICs.  His book has drop in iptables
> > > > > > > > > rules that are excellent. Once you get that far then going thru
> > > > > > > > > the IPSEC Howto is not too difficult.  Just involves a kernel
> > > > > > > > > module compile and insertion.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Links:
> > > > > > > > > http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html#toc3
> > > > > > > > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
> > > > > > > > > http://www.onlamp.com/pub/a/bsd/2004/03/11/Big_Scary_Daemons.ht
> > > > > > > > >ml (this is one idea)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Ale mailing list
> > > > > > > > > Ale at ale.org
> > > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Ale mailing list
> > > > > > > > Ale at ale.org
> > > > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > >
> > > > > > _______________________________________________
> > > > > > Ale mailing list
> > > > > > Ale at ale.org
> > > > > > http://www.ale.org/mailman/listinfo/ale
> > > > > >
> > > > > > 
> > > >
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > http://www.ale.org/mailman/listinfo/ale
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
> !DSPAM:40ea18c2181221150815787!
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list