On Thu, Jun 3, 2010 at 12:14 AM, Chris Buechler <cbuech...@gmail.com> wrote: > On Tue, Jun 1, 2010 at 1:05 PM, Ian Bowers <iggd...@gmail.com> wrote: >> >> I usually >> reccommend a cisco router over a BSD box for WAN delivery duty since >> they rarely if ever need patching > > Cisco has put out more security updates in the past two months than we > have in the 5.5 years this project has existed. The applicability of > those varies depending on what functionality you're using, but if you > want to maintain a secure IOS, you definitely need to patch more than > "rarely". Most FreeBSD security advisories don't apply to us as > they're either local only and in our case if you have local access you > have root, or they're in components that we don't include. > > Not that I disagree with the point of your post as a whole. Unless > you're in a large datacenter with two drops into your cage or cabinet, > you end up with one single point of failure of some sort per-Internet > connection, with redundant firewalls behind that. Whether it's a Cisco > router with a CSU/DSU, a cable or DSL modem, wireless or wimax CPE, > fiber CPE, etc. there is always something. It's unavoidable, which is > another reason you want multi-WAN plus redundant firewalls. > > Re: not having to burn two IPs for CARP, I hope we can get carpdev > functional at some point post-2.0 so that won't be necessary. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
My comment on patching was more abstract than saying "Cisco is more of a fire and forget box than BSD". a BSD box, even as a network appliance, is going to have more services listening than a cisco router. Or at least that tends to be the case in practice. Most routers have no services open to the outside, and only an access port (ssh or sometimes telnet) open on the inside. Any network services like routing protocols and whatnot will all be internal. So they tend to be lower maintenance from the service standpoint. I tend to see more services based attacks than any other malicious activity, so I suppose I should have been more clear about the "YMMV-ness" of what I had said earlier. FWIW I've run OpenBSD or pfsense as my border router/firewall for close to a decade at home and had zero issues despite a number of malicious attempts. So this isn't to say a BSD box isn't perfectly well suited for border duty. I'm only saying that in my experience if you want a redundant firewall setup, and the firewalls are where you want to focus your attention, having a "dumb" box that just pushes the internet into your network so your firewalls can do the heavy lifting is a solution I tend to reccommend. grain of salt etc. -Ian --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org