A Dedicated Firewall for a Small Town?

← Back to Stories (view on slashdot.org)

A Dedicated Firewall for a Small Town?

Posted by Cliff on Tuesday December 20, 2005 @07:53AM from the any-better-ideas dept.

Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."

4 of 75 comments (clear)

Min score:

Reason:

Sort:

OpenBSD? by m0rph3us0 · 2005-12-20 08:03 · Score: 5, Informative

I'd throw OpenBSD on there. And scale down the hardware a lot. You will run out of bandwidth on your bus before you run out of CPU. Get two boxes and run CARP for fail over. That way when you patch the box your whole network doesn't go down. Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.
1. Re:OpenBSD? by Noodlenose · 2005-12-20 09:30 · Score: 5, Insightful
  I can't commend this solution higher. There are 3 main reasons why OpenBSD should be your choice:
  
  Excellent hardware support
  
  Superb documentation
  
  With Carp and pf, you have the best firewall tools out there.
  
  Did I mention it's free?
  Cheers.
Maintenance policy - first by dpilot · 2005-12-20 08:47 · Score: 5, Insightful

Whether you're talking "Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4" or "OpenBSD on there. And scale down the hardware a lot" or even a heavy-duty appliance box, the cart is in front of the horse, here. Don't know if that's a reflection of the planning or your thinking.

Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."

Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.

Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.

--
The living have better things to do than to continue hating the dead.
Re:What city? by MarkGriz · 2005-12-20 10:12 · Score: 5, Funny

"Hey, I presume that you guys use no firewall now. And you have Windows servers on the netowork! What kind of city is that?"

Troy?

--
Beauty is in the eye of the beerholder.