On Wed, 13 Dec 2000, Cole Tuininga wrote:
>>
>> Install Linux on some PC hardware. ;-)
>
> We've actually taken this approach before. The thing that I like about
> doing a "hardware" solution is that the only moving part is a fan.
I can think of several answers to that concern off the top of my head...
(1) There are solid-state storage solutions out there of varying costs.
Put a Linux-based firewall on one of these devices.
(2) Use one of the firewall-on-a-floppy solutions out there. Floppies are
not very reliable in general, but in this sort situation, they spend most of
their time idle, and you can keep as many backup copies around as you want.
(3) Put a firewall-on-a-floppy solution on CD-R or CD-RW media. This solves
the media reliability problem. With CD-RW, you do not even have to worry
about wasting blanks for each config change.
(4) Good network cards these days include network boot clients in firmware.
Put one of these cards on the LAN side, and netboot the firewall off an inside
server. Disadvantages: If all your servers go offline, and your firewall then
reboots, you lose the firewall. This may or may not be very likely, depending
on your situation. There is also a possible security concern here, since your
network guardian is using the network for boot. How risky this is again
depends on your situation.
(5) Some network cards support programmable/replaceable ROMs for netbooting.
The typical situation is you put a thin network client in ROM to bootstrap the
station onto the network. But you can put anything you want in those ROMs --
including a firewall-on-a-floppy image. With an EPROM, no-cost updates even
become possible. This is basically a kludgey version of #1.
(6) There are projects out there on the 'net to put Linux into the flash ROM
which holds the BIOS/firmware of modern systems. This is rather bleeding
edge, but it would be a neat hack. :-)
(7) Hard drives don't fail *that* often. Keep a cold spare and a current
disk image around. Use hardware RAID if you're really paranoid.
> I took a look at this - it seems to be running a 2.0 kernel. Aren't there
> some serious problems with the network code in the 2.0's?
There are serious problems in all known versions of Linux. Most of them can
be -- or have been -- patched. Perhaps WatchGuard has done so. Ask for the
source. The GPL requires they provide it.
>> Checkpoint's Firewall-1 ...
>
> I couldn't find the link for the embedded box version - just the software
> version?
> Yeah, the thing that sucks about Netopia's S9500 is that it appears to
> only have 10 BaseT. Our DMZ will need a fast connection to the non DMZ'd
> area.
10 Mbit/sec is still pretty fast. You can beam an entire CD in under ten
minutes. How much data will you honestly be transferring to a machine whose
major purpose is to communicate over low-speed WAN links?
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
