Lots of commentary from you, Steve... is that why you are the one giving the talks?
>Mark Uemura wrote: >> I hope this helps others put forth a good case for >> OpenBSD in their working environment. > >Overall the presentation is well-done, but I take some exception with >some of your conclusions on slide 34. I know when I talk to a vendor >and get unrealistic comparisons, mentally that vendor is out the door. > >DNS: You don't need a dual P3 with 2gb for a DNS server in Windows. If >the server isn't an AD controller, that P3/500 would be plenty. If it >is an AD controller, then the server size depends on how many users you >have, and to offer a good comparison, you'd have to size the OpenBSD >machine for Kerberos and LDAP. > >(Same argument for DHCP, if you run a DHCP server on a dual P3, the >server is going to be bored most of the time.) > >I also noticed you're comparing a PC to a server. For any OS, a "real" >server will generally be a higher quality and more stable than a PC. >PCs don't have hot-swap drives or power supplies. Again, this isn't a >fair comparison. > >Remote access: Windows' built-in Remote Desktop is included with the OS, >you don't need OpenBSD for that. You couldn't do that over your Intel >VPN? Remote Desktop is potentially vulnerable to MITM, but it's >probably more secure than an external web site like GoToMyPC. > >You can also install OpenSSH on your Windows machines and manage them >with netsh or a variety of other command-line tools. > >Wireless: I'm not sure if Server 2003 can act as an AP, I haven't tried >setting it up. It can, however, provide 802.1X authentication, which >requires less end-user configuration (on Windows clients) than authpf. > >VPN: Why the hell does everyone hate the included Microsoft VPN? If you >run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI. >It also has features to quarantine Windows clients that don't meet your >criteria for system security. > >(Yes, the MS PPTP protocol had some weaknesses, but that was 1998. >That'd be like avoiding OpenSSH because the SSH 1.0 protocol had some >weaknesses.) > >Web: I assume you had some talking points here, specifically about >privsep and code cleanup in OpenBSD's Apache. The biggest problems with >IIS are from admins enabling it when they don't need to, or using IIS >when another product would do. The Microsoft developers are even >learning to run the web processes as low-privilege processes (Srv 2003 >SP1), although third-party developers aren't paying attention. > >Besides, you can run Apache on Windows, so the core argument is between >the trunk Apache and OpenBSD's Apache. > >IDS: Snort doesn't run on Windows? > >Firewall: I'm not familiar with Checkpoint, but their web site >(http://www.checkpoint.com/products/downloads/firewall-1_datasheet.pdf) >says that Checkpoint on Windows requires 256mb RAM and doesn't list >processor requirements. Sounds like somebody just wanted to buy a big >server. There's no good reason to have two processors in a firewall. > >Other comments: When you boil it down, the $500 for Server 2003 isn't >really all that expensive for a mid-size or large company. CALs can >make a difference in large companies, but that doesn't really come in to >play here. > >You've made a good argument for using OpenBSD as a redundant firewall or >access point, but that's more Cisco's domain than Microsoft's. Maybe >find out if you can set up a redundant file server using OpenBSD/CARP, >and compare that to active/passive Windows server clustering. > >Don't use "Micro$oft", it makes you sound like a zealot, and hasn't been >funny since 1992. Well, maybe leave it on slide 25, I like it >contrasted with "ChequePoint". > >Avoid relying on cheap hardware to make your cost point. OpenBSD runs >well on "real", modern servers. Managers at mid/large companies aren't >going to want to hear about how you pulled machines out of the trash and >now the business depends on them, even if they're 4x redundant. > >Slide 3: The first two paragraphs only preach to the converted. Maybe >add a fourth bullet point, "Your competitors are probably saving money >using it", depending on your audience.
