On Wed, 2004-05-05 at 18:22, Glenn Harper wrote: > Since the Security mailing list is possibly going to end soon, can anyone > advise me on a good inexpensive hardware firewall for the Raq550, or > enlighten me as to the advantages of using one of the various security > packages such as Michael and Zeffie offer. Anyone have any experience with > the Hotbrick or Cisco Pix firewall routers? >
Well in a denial of service situation a software firewall that ends up doing significant logging will completely tie up your machine, been there. I use gShield here and there in less critical situations and have used it on the Raq4 in the past. It's easy to use and well documented. My preferred choice for small appliance firewalls is the NetScreen GT. Reasonably priced, full featured, very fast and can run in a bridging mode for simple drop-in in front of existing machines with no readdressing requirements. Filtering is done at basically wire speed in ASICs. There are all kinds of DOS attack protection and traffic shaping/limiting features that makes this solution more robust than a software firewall on the host. It still costs hundreds of dollars but I could probably buy 15 of these boxes each year for what it costs me in software maintenance for one Checkpoint FW-1 license. There is not much sacrificed in terms of features and functionality either, the only issue is one of scale, i.e. interfaces and IPs allowed on the inside. > I hate to throw in the towel on my Cobalts (I've been using them for about 6 > years now), but a recent hacker attack and the lateness of patches has me > losing sleep these days. > I started loosing sleep a year ago and I am not sure why people are still clinging on to this stuff. The writing has been on the wall for a long time, security patches were coming at a pathetic pace even two years ago. All the OS versions are way out of date and there is no point in patching old stuff for ever and ever. I sense there will be a dead-end at some point where some back ports will be too difficult. Application level attacks will be an issue with the Cobalt boxes, firewall or not so I would bail sooner than later. I have slowly been replacing all the Cobalt machines and two remaining ones will go VERY soon, hence I don't care about the demise of the lists etc. I bought a bunch of bare 1U Asus machines with IDE trays, moved the Raq4r drives over, added some ECC memory and a 2.4G P4, installed RH ES V.3 and migrated all the stuff over. I am happy to give RedHat a bit of cash for very timely security updates and the time savings associated with not having to roll my own updates. I would have happily given that money to Sun if they could have ever gotten their heads around a decent support model . . . In the end this gives a very supportable cost effective solution that is up-to-date, secure, faster and more robust. Fortunately we were using the Cobalts as fairly generic machines and didn't leverage heavily off the Cobalt's proprietary components so the move was not that painful, others may experience major pain . . . Hope this is of some use . . . Eric > Any information on affordable proven security products would be helpful. > > Regards, > Glenn Harper > Phone:361-727-1753 > http://www.rockportnet.com/ > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
