Slashdot Mirror
A Dedicated Firewall for a Small Town?
Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."
Caveat. If you have consultants available that are skilled with open source, get a firewall from them so you don't have to deal with Watchguard licensing. A FreeBSD based firewall (m0n0wall or pfsense?) with solid rulesets, and even throw in intrusion detection and stateful inspection...you can get those free of even the Wachguard restrictions. m0n0wall and it's fork, pfsense, have nice web interfaces and I believe you may even be able to use something like fwbuilder to manage them, but the web interface is pretty robust for most uses. I think the only time it would get messy is if you needed mangling rules, but if you needed that, you WOULDN'T be asking about server 2006 and norton mcafee pseudo-wannabe security suite. :P
Karma: Chameleon (mostly due to the fact that you come and go).
So, I'm betting the real issue will be selling a cheaper or open source solution to people who are not in IT and are used to paying big money for anything "reputable"... I guess the strategy I would use would be to put a chunk of money into a "reputable" consultant who would then sell them on the OSS option. Remember, in business and in politics it's often about making them feel secure, regardless of whether or not they actually are. Somehow Microsoft and Norton branded products provide that sense of security to many outside of the IT field, so they'll continue to get the business unless you can provide them with that same sense of security at a cheaper price.
I second this. You can learn OpenBSD's pf firewall well in about a week. Get started here: http://www.openbsd.org/faq/pf/ . A 600 MHz PIII, 256 MB RAM, 4 GB HD, is plenty for 4 to 6 100 Mbit NICs on 32-bit PCI; if you have higher bandwidth needs you might put the money into a machine with 64-bit PCI or PCI-E and Gigabit NICs.
Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff.
I'm no "big time sysadmin" either but I have some security knowledge. Security is not a "set and forget" operation. You don't need a full-time dedicated person but you do need someone to keep up with fixes, etc. Otherwise, you're throwing money down a hole.
It's simple: I demand prosecution for torture.
Whether you're talking "Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4" or "OpenBSD on there. And scale down the hardware a lot" or even a heavy-duty appliance box, the cart is in front of the horse, here. Don't know if that's a reflection of the planning or your thinking.
Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."
Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.
Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.
The living have better things to do than to continue hating the dead.
I was going to post, but the parent to this is almost exactly what I was going to say. He's right. 2x OpenBSD boxen with CARP will be far more resilient, and less expensive, than the proposed solution.
Did I mention it's free?
Cheers.