hi everybody, hi Oliver I would suggest an OpenBSD or OpenBSD-based firewall too. We're using OpenBSD Firewalls (Routing, NAT, "Loadsharing", SSL-VPN, etc) for our own Web- and Mailhosting platform and for a customer similar to Olivers description of the project.
Yesterday i switched our Web- and Mailhosting Systems from a commercial firewall solution (http://www.phion.com/index_en.php) to our new OpenBSD high available firewall. I agree with Chris its a lot of work but i also fully agree with Rolf. Its important to understand what your doing and why things are working how they are working... :-) Ok this maybe sounds a bit freaky but if you have the time its always good to know this things. I built 2-3 similar firewall solutions with OpenBSD before. Its only copying some configuration files and change the things according to your needs. If you want you can get the whole config stuff from me... contact me off-list if you're interested. Buy some cheep 1HE Pentium / Xeon Servers or a Alix / WRAP board (www.pcengines.ch) Greets Marco Rolf Sommerhalder wrote: > Chris Gravell wrote: >> Sounds like a lot of hard work, Rolf! > > Yes, but it's fun as well as, as you can really learn and understand how > the stuff really works. Support provided by developers and the community > over mailing lists is quite amazing. > >> BSD may be free but as you probably >> know, - the ongoing support costs are often the larger proportion > > I did not say 'open == free'. Contributing back to the project is lso > quite rewarding, and be it only in the form of qualified bug reports or > testing upcoming releases, > > Just in case the OP's customer has asked specifically about non-open > source solutions because of concerns regarding (the lack of) commercial > support, in Switzerland http://www.startek.ch supports the products from > http://vantronix.de which are OpenBSD based. > > >> Not to mention that the base OS will probably require >> hardening too... > > Not really, as OpenBSD default install is already hardened as per its > "secure by default" policy, unlike most other OS. > > >> expertise like that would quickly dwarf his budget unless >> it's available in-house. >> For up to 3000CHF, probably best to buy off-the-shelf. And focus on TCP/IP >> and not the underlying OS. IMHO! > > The OP stated that he needs to protect about 10 Web servers. If this > means 10 physical and not virtual servers, then I have some doubts about > the price point of 1..3 kCHF being an adequate investment for the > protection of these servers. Also the bandwidth estimations look pretty > moderate. > > Therefore, I assumed that a clustered setup distributed over two > datacenters (or two separate racks, at least) might be better, both for > resiliance and scalability. Also reverse proxy functionality will > facilitate operations (load balancing, Web server maintenance without > affecting service availability, etc). > > Just in case the OP's customer has asked specifically about non-open > source solutions because of concerns regarding (the lack of) commercial > support, in Switzerland http://www.startek.ch supports the commercial > products from http://www.vantronix.de which are all based on OpenBSD. > > Finally, the OP might want to look into managed security services > provided by providers (MSSP) like http://www.open.ch in Switzerland, as > an attractive alternative to having to evaluate, install and maintain > security hardware & software products and to care about their life-cycle > management. > _______________________________________________ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
