On Wed, 03 Aug 2005 11:03:34 +1000, "Rod.. Whitworth" <[EMAIL PROTECTED]> wrote:
>Somebody sent me a query asking for a justification for my proposal to >supply a firewall/router using OpenBSD when there was thsi device: >http://www.dlink.com/products/?pid=327 , with all its claimed bells and >whistles. > >Anybody know what, if anything, it does that an OBSD solution doesn't/ >cannot, that may be important? > >Or alternatively the reverse. > >I've started with SSL VPNs (OpenVPN based) which I have found to be >very easy for clients to add to road-warrior machines. I'll be doing a >bit more research on it too but hopefully somebody has some knowledge >of the beast. > >Thanks, >Rod/ Hi Rod, As sick as it may sound, FUD works. First, discredit your opponent: Try using the line, "There are lies, damned lies and then there are supposedly working features." (laugh) "Heck, if you think that's bad, even worse is supposedly secure systems." (laugh) Next, pump up your product: Though it seldom counts as a "Valid Business Reason" I usually mention the tremendous "Hack Value" and extensive "Bragging Rights" of using "The-Most-Secure-Operating-System-On-The Planet!" to the corporate decision makers. If they're smart enough to give you that "I don't want to hear your FUD" look, just level with them. "If you really want me to go into all the various technical details involved in a full source code audit the costs you would bear to do an equivalent audit on a closed source binary through reverse engineering and you'd also need a detailed comparison of standards compliance validation and testing as well as a comparison of how long your ass will be sitting out there on the cold dark net with your pants down when some new exploit is discovered... Sure... If you want to waste your time and money putting together a complete report so I can bore you to tears with all the technical details, I'd be more than happy to do it." Say absolutely nothing until their nerve finally breaks and they give you fumbled reply -game over. And close the deal: "The bottom line is if you really want to have hard facts on which system would be more secure, you would be forced to higher very talented security reverse engineers at $300 per hour to do a full binary audit of the firmware in the netgear box and that would cost you tens of thousands of dollars. When you realize there's no such thing as a "PERFECT" security audit, you could choose an unproven netgear consumer crap with a questionable audit that cost you a fortune or you could choose a proven product like OpenBSD that has been audited at the source code level multiple times by many individuals." As stupid as it may seem, the FUD works every time. ;-) The only question is, "Is it really FUD?" -Yes and no. Though it is FUD is most regards, you also just laid out a valid and important "Business Reason" for using OpenBSD -A company should not be spending the kind of money it would require to make detailed and informed decision between an unknown closed binary running on the netgear consumer crap versus an already audited OS with a proven track record. On the other hand, if they have money to burn and want to do a binary audit on the netgear crap, give me a call and I'll set you up with the right people. ;-) Kind Regards, JCR -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?