Mark Uemura wrote:
six month prior to
me taking over the SysAdmin position.
Ah, see when I read the slides, I got the impression that you came in as
a consultant to do all this, not that you did it all in-house.
I for one have problems putting a Windows Server on the Internet. Even
within a DMZ and hardened as much as I know how. I just wouldn't be able
to sleep at nights.
Oh, it'd be fine, for at least several minutes.
If there is a Secure Commercial Wireless Solution that even comes
close to the solution that I have implemented in regards to the OpenBSD's
security track record, usability, interoperability and ease of use,
ease of administration and cost, then please do enlighten me.
(If I knew of one that existed, I would have mentioned it.)
The basis
of what was implemented are on the slides. You mention authpf in a
negative sense. I think it was the best thing developed since sliced
bread :) That's not totally true. OpenBSD on Zaurus, PF, CARP and SPAMD
are also right up there ;)
I'm not trying to be negative towards authpf, I'm trying to describe
reasons someone might have to not use it. I don't like all the crap
Cisco makes you install to use their solution either.
VPN: Why the hell does everyone hate the included Microsoft VPN? If you
run an MS shop, it's easy and cheap. That uses IPsec, ISAKMP and PKI.
Maybe because there's an easier, cheaper and more secure alternative!
(Compared to Cisco or Intel, not OpenBSD.)
It also has features to quarantine Windows clients that don't meet your
criteria for system security.
No comment.
Why? If you've got untrusted/unmanaged Windows clients that can connect
into the network (i.e. Bob from Accounting connecting in from his
unprotected home machine) then this is useful. It's more for
manageability than security.
Obviously you've not run Checkpoint on Windows :) But that's okay,
I wouldn't wish it on anyone 8-) By the way, in my talk, I do mention
a point in time (August 2003) when I had to protect my firm standard
Checkpoint Firewall with my OpenBSD Firewall due to an outbreak of
'nachi', 'msblaster' & 'sobig' viruses. Imagine that, an OpenBSD
firewall out in front protecting another firewall because it was going
to 100% CPU utilization with dual CPU's!
Heh. I've done the same thing with spamd and (anti-spam) mail servers,
to add greylisting during a spam flood so the "real" servers could catch up.