Re: [osol-discuss] Using OpenSolaris as a security gateway

Fri, 08 Jan 2010 08:49:47 -0800

For the stated requirements, I'd tend to go with OpenBSD, largely because the features you're asking after are well-documented and extremely mature. I particularly appreciate the functionality in pf that provides a great deal of IP stack protection (e.g. fragment reassembly and synproxy, where the latter can also help with plugging covert channels via TCP SEQ/ACK IDs) in a stateful firewall. For high- availability, pfsync, carp and OSPF are a very nice stack on the front end, while there's ample functionality to provide load-balancing on the back end. Solaris has plenty of networking features for load balancing and HA, but I'd tend to think that the firewall features in OpenBSD are somewhat more compelling. Not sure exactly what you need with respect to VPNs, but there's quite a lot OpenBSD can do in that department. For IDS/IPS (including honeypots), I'm not current on all the tools in the area, but I'd expect much of the code to port, with some weight in OpenBSD's favour, given its strength as manageable and secure platform.
I'd really like to see pf and friends ported to OpenSolaris, although I gather that the refactoring of the IP stack away from using the old streams-based approach will make this a challenge. There's quite a bit of work being done in the -current release of OpenBSD in anticipation of thte 4.7 release, so perhaps that might be the code to port once it's released. It would be nice to see come cross-pollination between the platforms (port pf to OpenSolaris, port DTrace to OpenBSD and maybe ZFS, although as CDDL ports, they'll never get into the core distribution, which is strictly BSD-licensed, which is much of the reason that ipfilter ended up being replaced). 

Am 5 Jan 2010 um 14:48 schrieb carlopmart:


Hi all,


I need to deploy a new perimetral security infraestructure to  
install the following services:


- High availability and load balacing firewalls
- VPNs
- IDS/IPS


My first choice to install this scenario is to use openBSD, but will  
be possible to do this with opensolaris?? The mos important point is  
high availability features ...


Thanks.

--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org


_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org






















					Reply via email to