[ale] Buy vs. build

scott scott at sboss.net
Thu May 5 14:08:59 EDT 2011 

Lots of different questions here....  He is my suggestions...

for the firewall if you are going to build it, put lots of RAM in it.
The HD doesnt matter.  Firewall software (open-source, commercial,
whatever) runs out of memory once it is loaded.  My home firewall
(back when I rolled my own) ran 100% of out of memory.  The software
was tweaked to boot of CF (compact flash) memory cards and run 100% in
RAM.  Never touching the CF unless it was to save a config change.
Get good NICs.  Dont get off brands.  And if you are going to push
some serious IOs through them, dont get mutiport NICs.  The nic card
itself will become the bottle neck.

Some commerical firewalls offer OpenVPN as  an option.  Dont remember
which ones now.

as for trihomed, that is common.  RED interface is for the internet
(RED == dangerous).  YELLOW interface is for the DMZ hosts (yellow ==
be cautious).  GREEN interface for internal only stuff (GREEN ==
safe).  Most people would put Web hosts and Mail server in the DMZ.
On the F/W put in rules for only certain ports open from RED->YELLOW
and vice versa.  Then on the F/W put only certain ports open from
YELLOW->GREEN.  Both sets of these ports (R<->Y & Y->G) be very
specific on which ports for which hosts.  The big arguement is do we
allow all ports from GREEN->YELLOW or have limited port like incoming.
 I prefer limited ports.

Where do you place VPN server.  Depends on how much access a VPNed
hosts gets to the network.  Limited access then place it in the DMZ
with Web and Mail.  If it needs full you can still do that with ports
open from the VPN server into GREEN.

I would place DB server in the GREEN zone with specific port(s) open
between YELLOW and GREEN for data to flow.  I would place AD and other
things like that in GREEN too.

good luck!

On Thu, May 5, 2011 at 1:36 PM, David Hillman <hillmands at gmail.com> wrote:
> Our firewall is close to dead.  My boss wants to buy an expensive one.  I
> think it's better to build.  We had problems extending the old firewall,
> plus it would give us a chance to actually have OpenVPN on the firewall box
> itself.  The trouble is figuring out how to get to a working solution that's
> flexible and affordable.  Should we go with a trihomed solution?  Should
> OpenVPN then listen on all interfaces, or just the external one?  How does
> this all fit in with our Active Directory and DNS server?  Can OpenVPN
> easily deal with Active Directory?  How should packets be routed from the
> VPN connection to the internal network and to the DMZ?  Should we go with a
> powerful little box that has iptables on the hardware and something like
> Virtualbox + PHPVirtualbox for everything else?  By the way, we were using a
> Secure Computing box before.
> The AD box can then be virtualized and consolidated inside the one physical
> box.  Our web box (virtualized) and file server box would still stay
> separate.  Then, how do we tie the virtualized AD service back into the LAN?
>  Through the internal network interface via virtual switch?  What are the
> chances of the firewall box failing?  Of course, we were thinking of a
> Mini-ITX board with Intel Atom (no fans) and RAID 1 SSD drives.  Are there
> any good books dealing with issues like these?  I can understand buying to
> save time, but how many headaches do you have to put up with down the road
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>

More information about the Ale mailing list