Hiya Brenno The current units are BASED on FreeBSD 2.2.6, and were expensive as well (WAY before my time here). The problem with current units is not so much the current setup, but the future plans that are going to rely heavily on them. Currently very little is open but within the next few months I will have to open several other ports, as well as bring up another interface and DMZ for the business. This will open these boxen to all sorts of 'fun'.
Unfortunately in some larger .co's people believe they are getting a better product if they pay more for it. If I had to sit down with a few friends over pizza and beers we'd probably get a very secure FreeBSD firewall with failover running in a few hours. This has been suggested to management, but the solution was to 'cheap' for them. Like I said in my previous mail...gholf course decisions. That's why they're replacing sendmail on a Sun E250 (super stable) with Lotus Domino on a Intel platform (which has broken twice in its testing stage alone) My question reverts again to how to approach a manager without insulting him and telling him a four year old product just does not cut it in todays security industry. Should make for interesting discussion. Kind regards Pieter -----Original Message----- From: Hiemstra, Brenno [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 20, 2002 10:54 AM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: Firewall RFI & info Pieter, To convince the management you can look at the services running on the firewall and prove that they need to be upgraded because in the recent years people found flaws in the used technology or running services. Basically management need to learn that you need to keep up with the technology to be, or feel, secure. Otherwise you can sit and wait to be penetrated at some point (maybe this already happened without your knowledge about it). IMO a checkpoint FW-1 is a pretty expensive solution to replace a FreeBSD firewall. There are also probably some tools for linux or IPFilter (firewall package runs on latest FreeBSD distros) that can suite your needs. If you ask me the rulebase of a IPFilter or PF based firewall is pretty straight forward and after reading the HOWTO it shouldnt be a problem to install a good rulebase on the new firewall. If you are now running a FreeBSD firewall then there shouldnt be a real problem in running a new FreeBSD install with a new and better firewall package. Anyway... food to think about.. Regards, Brenno > -----Original Message----- > From: Pieter Blaauw [SMTP:[EMAIL PROTECTED]] > Sent: woensdag 20 maart 2002 8:04 > To: [EMAIL PROTECTED] > Subject: Firewall RFI & info > > Hi guys > > If this is OT, send someone over with a spiked club to teach me, but I > thought I'd ask this list. :) > > The current .co I work for has a set of firewalls being 'x' yrs old, > still based on FreeBSD 2.2.6 with some friendly interfaces etc. At the > time of their purchase much of it was a 'gholf course decision'. Now > for the new budget period we're trying to justify spending the money > on upgrading the units to Checkpoint's FW-1. In a RFI I sent it, it > came out on top, and while a FreeBSD / Linux solution would be great, > not enough people understand it to make hand-over and maintainance of > it easy enough. Also not all the functions on the RFI was needed, > making it not a powerfull enough object for argument over the older > units. > > Can anyone assist me in advice in how to prove to management without a > doubt that the older units are in deed worth replacing? While I can > prove 'x' amount of nmap scans, not to mention the lack of stateful > inspection in the boxen, this is not convincing enough. I'm looking > for someone with some business savvy that may know of a whitepaper on > such a problem or anything of help. > > Kind regards > Pieter > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
