Contributed by Dengue on from the d-&-t-fan-club dept.
"It is difficult however for someone who currently does not work in a corporate environment to learn how to properly configure the rulesets for a firewall.
Over the weekend, I replaced my DSL router with emBSD, a stripped down version of OpenBSD running Ipfilter. Installation was easy, and in about 12 minutes, I had a firewall up and running. Because I now control every aspect of the firewall, I am able to test and try out complex rulesets on a production quality firewall.
Also, ipfilter's ruleset language seems infinitely more intuitive and easier to understand than ipchains. Also, Ipfilter is stateful, like netfilter, while ipchains is not.
Most of us cannot afford something such as Raptor or Firewall 1. Nor is there any reason to believe that spending $25K on a firewall means it's a better or more importantly, a more secure firewall. In my experience in consulting, I have notice that it is generally a poor understanding of rulesets which result in poor firewall security. Ipfilter run at home or in a small office environment is perfect for setting up NAT as well as having a secure firewall for very little money. I am running mine on an old Penitum 133Mhz + 64Meg on a 64Meg Sandisk IDE. It works beautifully. It then would seem that as far as firewalls go, Ipfilter is the most cost effective, accessable stateful firewall available.
I would recommend all sys admins out there as well as managers to take a look at OpenBSD + Ipfilter as an alternative to buying one of the large commercial firewalls. OpenBSD is secure by default, and Ipfilter is easy to configure and use, and it's stateful. It runs happily on very low end hardware, and once setup, it just runs and runs.
I would also recommend anyone who is interested in learning more about firewalls to set one up."
(Comments are closed)
By Alternative Man () bsd-rules@bjmoose.com on http://www.mobydog.com
By Curtis () c_collicutt@yahoo.com on www.collicutt.net
You would be much better off putting the money towards a full-time FW admin who can automate the open-source firewall to meet your expectations and needs, instead of what the commercial FW company *thinks* you need.
OpenBSD + Ipfilter rocks.
Curtis.
By Anonymous Coward () on
non-web browsing activity. Web browsing would take 10 times the space. We run on a Sparc Ultra 60 with FW-1, and have more than 75 rules. Adding
rules via the GUI works, and previewing the activity via a GUI works as well. To process the logs I move them to OpenBSD and use Perl to generate summary reports. I use ipf on an old P2 120 running 2.8 at home for my cable modem setup with NAT and dhcp. Works great. But when you need to lay your job on the line, you don't mind spending the $30,000. I wonder who is using ipf on OpenBSD on the high end. We pump 6 - 8 megbits/sec of data daily through our firewall, anyone doing similar traffic levels care to comment on what platform you are using and how easy it is with ipf?
By Meder () mederchik@mail.ru on mailto:mederchik@mail.ru
By Ken () krice@suspicious.org on http://www.embsd.org
1) Documentation and setup more setup instructions are coming.
2) Several people have expressed concern about the source. We are in the processes of cleaning up the patches so that they are useful to people besides us. We are toying with the idea to convert the patching process to a port style setup so life is much easier when newer source or releases come out.
3) The several things were left out that are need to make things a bit nicer, IPSec for one is slated to be make a package for the upcoming release. Also, named, dhcp, ppp, and wireless support.
4) emBSD is designed as a ipf/router for a small foot print. At this point it is a good firewall and/or router and thats about it. Everyone that just grabs the latest release of this firewall of that firewall and thinks that just by setting it up, poof all your problems are going to go away. It will help with some issues, but it will not solve all your problems. Even tho it will run, there are always new ways coming out to circumvent even some of the best security software available. Pay attention to all the good sources for the latest exploits, use some for of IDS and/or logging, Review those logs and make adjustments to your ruleset as required.
5) emBSD is not a floppy based system and was never intended to be... there are plans for emBSD that dont allow this, and floppies are not very reliable for long term operations... (when's the last time you lost a document cause a floppy went south on you?)
I hope this clears up a few issues. And if there are any other issues you would like to know about suggestions etc, feel free to join the mailing list or visit the website at http://www.embsd.org
By Ago () ago@lsc.hu on http://www.geekfinder.hu
By Nick Buraglio () nick@securitydrop.spamsucks.com on http://www.securitydrop.com
I've worked on Gauntley, PIX, FW-1 and a few other pricey firewalls and the main reason that most of the places went with a commercial product is 3 reasons:
1. They want someone to blame, as in a company (that is exactly how it was explained to me) if it screws up.
2. Commercial support. (again the blame factor comes into play again, for misconfiguration, etc.)
3. Warm Fuzzy- It gives the non-technical upper management a warm fuzzy to look at http://www.checkpoint.com and think to themselves that they are secure because Checkpoint (or Cisco, or HP, or whatever) says they are.
It's a stupid reason in my opinion, but hoge companies like fortune 500, 1000, etc. have green to burn on crap like that. Personally I've deployed a good deal of firewalls, VPN devices, etc, and for most of my customers I recommend a BSD based firewall running IPF. Sure, if they have the money to burn I'll get them a PIX and set it up, but 90% of the people will take whatever you tell them to.
By dalton () on
There are so many other areas to look at in the security arena, such as social engineering...how does a product cope with that? It's just a facet of a security solution, not security nirvana.
Having said that, security from the ground up is the way to go...and to me, that's where OpenBSD fits in. I can't think of any decent alternative...