OT: Enterprise Firewall?

Hi,

Looking for recommendations and comments on possible firewalls we should go
for. Currently using a Linux/IPTables PC which is working nice but the
hardware is flaky and we want something more reliable hardware wise.

Our net connection is 10mb and we have a /29 subnet to use for DMZ servers.
Would be nice to have 5/6 ethernet ports in order to create a number of
secure areas and connect 1 interface to our internal network so clients can
use NAT for outbound connections also. We are looking for features such as
OSPF, IDS, Syslog, SNMP traps etc - as much as poss really!

Been looking at a Cisco PIX but dont like the fact that you cant assign same
IP/subnet to two interfaces and use Proxy ARP. So for DMZ servers you have
to use static NAT mappings - I dont like this restriction and really do not
like using inbound NAT/PAT if poss.

Also we had a Watchguard Firebox before which constantly crashed so would
prefer to stay away from these really. Although I'm open to be proved that
they are reliable

Any info greatly appreciated.

TIA, Dan

> Get more reliable hardware and stick with the Linux solution. I've Linux
> based firewalls/routers/servers that basically stay up until the power
> fails, or I reboot them for whatever reason. If the hardware is reliable
> enough theres no reason for them to crash these days.

I'll second that proposal



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.500 / Virus Database: 298 - Release Date: 10/07/2003

phantom wrote:

>> Get more reliable hardware and stick with the Linux solution. I've
>> Linux based firewalls/routers/servers that basically stay up until
>> the power fails, or I reboot them for whatever reason. If the
>> hardware is reliable enough theres no reason for them to crash these
>> days.
>
> I'll second that proposal

I myself would much rather stick with Linux! I have it running well at the
moment with iptables and zebra. Also I was looking at setting up Snort for
IDS. I have the feeling that the "powers that be" want a more dedicated
hardware solution but if I can sell Linux to them on the fact that its so
configurable and does everything we want (and it hasnt ever crashed since
its been implemented), you never know they might buy some new hardware in.

I guess the question I should be asking is if there is any other solution
that can beat Linux?

Cheers, Dan

In article <(E-Mail Removed)>,
Illusion <(E-Mail Removed)> wrote:
>phantom wrote:
>
>>> Get more reliable hardware and stick with the Linux solution. I've
>>> Linux based firewalls/routers/servers that basically stay up until
>>> the power fails, or I reboot them for whatever reason. If the
>>> hardware is reliable enough theres no reason for them to crash these
>>> days.
>>
>> I'll second that proposal
>
>I myself would much rather stick with Linux! I have it running well at the
>moment with iptables and zebra. Also I was looking at setting up Snort for
>IDS. I have the feeling that the "powers that be" want a more dedicated
>hardware solution but if I can sell Linux to them on the fact that its so
>configurable and does everything we want (and it hasnt ever crashed since
>its been implemented), you never know they might buy some new hardware in.

In terms of reliability, if you can source a motherboard/processor
that works without a fan and use a solid-state (flash) IDE drive, then
whats the difference between that and (eg) a Cisco which boots into RAM
from flash? (Saying that, I have it on good authority that if the fan
on a Cisco 2600 fails it'll last 4-5 days before it goes terminal)

You can make a Linux box more reliable by doing things like compiling
a customised kernel and running that (no modules, it boots marginally
faster and theres nothing unneccesary in it), removing all unneccessary
packages and generally making it a lightweight as possible. You can get
full-featured systems to boot off floppy if you try hard enough... I
normally start with Debian for the base system of nothing more than a
kernel, utilities and compiler, and build/tailor it from there.

>I guess the question I should be asking is if there is any other solution
>that can beat Linux?

I'm sure Cisco will argue that point...

Another thing the PHBs might consider might be the number of people who
can program and setup Ciscos vs. the number of people who can setup a
custom Linux box (and re-configure it) You probably can't beat Linux in
terms of "bang per buck" though.

Gordon

On Thu, 24 Jul 2003 15:25:47 +0100, "Illusion" <(E-Mail Removed)> wrote:

>
>I guess the question I should be asking is if there is any other solution
>that can beat Linux?

Yes PF on OpenBSD 3.3.





greg


>
>Cheers, Dan
>

--
$ReplyAddress =~ s#\@.*$##; # Delete everything after the '@'
Alley Gator. With those hypnotic big green eyes
Alley Gator. She'll make you 'fraid 'em
She'll chew you up, ain't no lie

On Thu, 24 Jul 2003 16:58:33 +0100, Greg Hennessy wrote:

> On Thu, 24 Jul 2003 15:25:47 +0100, "Illusion" <(E-Mail Removed)> wrote:
>
>>
>>I guess the question I should be asking is if there is any other solution
>>that can beat Linux?
>
> Yes PF on OpenBSD 3.3.

That depends on what protocols you want to track statefully. I believe
netfilter for Linux supports more (e.g. H.323, PPTP, Quake...)

Also, there seem to be more mature management interfaces for netfilter -
thinking mainly of Astaro Security Linux here, but also things like
SecurePoint (and even IPcop if your needs aren't that demanding).

To the original poster, if you're thinking of replacing the hardware
anyway, look into an Astaro appliance; that way you get support all from
one place, regardless of whether it's a software, hardware or integration
issue.

> greg
>>Cheers, Dan

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>

On Fri, 25 Jul 2003 21:07:53 +0100, Alex Butcher
<(E-Mail Removed)> wrote:

>On Thu, 24 Jul 2003 16:58:33 +0100, Greg Hennessy wrote:

>That depends on what protocols you want to track statefully. I believe
>netfilter for Linux supports more (e.g. H.323, PPTP, Quake...)

For L7 proxies true. For basic packet filtering/shaping/NAT, there is no
comparison IMHO. Creating and debugging IPTables policies is like pulling
teeth when compared to PF. The moment I discovered

pfctl -n

a tear ran down my cheek lol.


>Also, there seem to be more mature management interfaces for netfilter -
>thinking mainly of Astaro Security Linux here, but also things like
>SecurePoint (and even IPcop if your needs aren't that demanding).

If one is looking for a self contained firewalling distro I'd agree on the
1st two. On a side note I had an astaro install I look after get completely
fscked up after a power cut recently, comes back up and hangs with an
inittab respawn too fast error. Something deeply corrupted inside ext3. The
filesystems would clean up and one could see the entries. But they were
shagged, anytime something would attempt to use a shared lib core dumps
everywhere. 1st time ever I've seen ext3 break that badly.



greg


--
$ReplyAddress =~ s#\@.*$##; # Delete everything after the '@'
Alley Gator. With those hypnotic big green eyes
Alley Gator. She'll make you 'fraid 'em
She'll chew you up, ain't no lie

On Sat, 26 Jul 2003 00:04:04 +0100, Greg Hennessy wrote:

> On Fri, 25 Jul 2003 21:07:53 +0100, Alex Butcher
> <(E-Mail Removed)> wrote:
>
>>On Thu, 24 Jul 2003 16:58:33 +0100, Greg Hennessy wrote:
>
>>That depends on what protocols you want to track statefully. I believe
>>netfilter for Linux supports more (e.g. H.323, PPTP, Quake...)
>
> For L7 proxies true. For basic packet filtering/shaping/NAT, there is no
> comparison IMHO. Creating and debugging IPTables policies is like
> pulling teeth when compared to PF. The moment I discovered
>
> pfctl -n
>
> a tear ran down my cheek lol.

Sure, the interface to netfilter provided by the iptables command isn't
the friendliest, but the existence of things like Astaro and fwbuilder
make that less of an issue, IMHO.

Just as I wouldn't write FireWall-1 policies without using their GUI.
That's even hairier than iptables. ;-)

>>Also, there seem to be more mature management interfaces for netfilter -
>>thinking mainly of Astaro Security Linux here, but also things like
>>SecurePoint (and even IPcop if your needs aren't that demanding).
>
> If one is looking for a self contained firewalling distro I'd agree on
> the 1st two. On a side note I had an astaro install I look after get
> completely fscked up after a power cut recently, comes back up and hangs
> with an inittab respawn too fast error. Something deeply corrupted
> inside ext3. The filesystems would clean up and one could see the
> entries. But they were shagged, anytime something would attempt to use a
> shared lib core dumps everywhere. 1st time ever I've seen ext3 break
> that badly.

Eek! I thought ASL used ReiserFS, but I suspect they may have changed
over.

Still, that's not really an ASL problem; if you're concerned about power
failures, you should be using a UPS and/or failover facilities, have a
cold standby, or at least mounting the filesystems synchronously.

Also, providing you've backed up the ASL configuration recently, it won't
be much of a problem to rebuild, install the latest up2date fixes, then
restore the old configuration from the single backed up configuration
file. Should take no longer than 30mins, excluding download time for the
up2date fixes.

> greg

Best Regards,
Alex.
--
Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950 <http://www.assursys.com/>