Priscilla,
You can get a PIX 506 for about $1,400 from www.provantage.com.
This may still be a little pricey for a school though.
I wouldn't worry too much about someone breaking into a properly
configured Linux firewall. First, if you have a box acting as a
firewall, it shouldn't be running _any_ unecessary services, i.e.
DNS, SMTP, FTP, etc. When I configure Unix/Linux to act as a
firewall, the only services I leave running is SSH and the firewall
software itself. Period. All other services are disabled and removed.
There is no good reason to run any other traditional service on the
firewall. You can pick up wintel boxes that will run fine for a couple
of hundred bucks. If you need additional services they should be
run on different boxes, not the firewall.
Pick a good password for use with SSH, something with several
special characters, or use S/Key and you should be fine. Course,
that doesn't mean someone couldn't get _through_ the firewall, only
that the firewall itself is secured.
Regards,
Kent
On 23 Mar 2001, at 9:37, Priscilla Oppenheimer wrote:
> How about if the customer is strapped for money. I work at a school.
> Luckily our students haven't gotten sophisticated enough to break into
> the Linux firewall but I don't the think that day is too far away.
> Some of them are very smart and they are learning Linux and networking
> in their classes. But PIX is too expensive, I think??
>
> Priscilla
>
> At 09:24 AM 3/23/01, Rik wrote:
> >I have seen way too many Linux firewalls hacked as a result of
> >mis-administration. Now, I'm not assuming anything about your
> >abilities as the last confirmed hack that I was notified about was a
> >Linux FW setup by 2 guys that I know to be excellent Linux admins.
> >The problem is the inherent nature of the beast. A PIX is totally
> >secure right out of the box. The last Linux hack I speak of was
> >hacked based on an exploit within BIND and had nothing to do with the
> >FW policy.
> >
> >I also find the PIX to be MUCH easier to configure and setup. I can
> >do in only a few lines of code what could possibly take pages and
> >pages of code in Linux. When talking about firewalls, simplicity is
> >a critically important concern. One compromise could easily remove
> >any upfront cost advantage Linux has over Cisco. Also, you don't
> >have to be concerned with shutting down unused services on a PIX as
> >you would on Linux.
> >
> >Go with the PIX. It was designed from the ground up to do just what
> >it does: protect your network. Cisco claims that a properly
> >configured PIX has never been compromised. I believe them.
> >
> >Rik
> >
> >
> >""Sean Young"" <[EMAIL PROTECTED]> wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi Everyone,
> > >
> > > My company is putting me in charge in implementing a Firewall for
> > > our company. One guy in my networking group is recommending PIX
> > > Firewall. Furthermore, he also recommends a Cisco Web-caching
> > > engine. His reason is that not only Cisco is good Firewall but it
> > > also provides VPN connectivity to our remote sites. Myself, on
> > > the other hand, would like to implement Linux-based OS firewall
> > > along with FreeS/WAN VPN features set. My reason is that a linux
> > > firewall can provide everything a Cisco PIX does and even more.
> > > In term of hardware, the linux Firewall/ VPN/IPSec box will be
> > > running a dual-processor (800MHz) with 1GB of RAM. I just feel
> > > that I can get a lot more for the amount that we are going to
> > > spend with linux than with Cisco PIX. I also feel that I tweak
> > > the source code on the LINUX kernel to increase the performance
> > > and security. Also, instead of purchasing the Cisco web-caching
> > > engine, I am thinking of building another linux box that will be
> > > running squid (web-caching) server. Don't get me wrong, I think
> > > Cisco has a lot of good products in the area of routing; however,
> > > I just don't think it is necessary to throw away money at Cisco
> > > when I know that Linux or BSD can do the same job that PIX and
> > > Cisco web-caching engine do but for much less and also I can
> > > control the source code. Has anyone has experiences with both the
> > > Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that
> > > you can give advice on what I should do. I am open to your
> > > suggestions.
> > >
> > > Many thanks.
> > > Sean
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > >
> > > _________________________________
> > > FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to
> > > [EMAIL PROTECTED]
> > >
> >
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to
> >[EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
