Hi,
On Fri, Feb 29 at 11:47, Andy Smith wrote:
> Does your project justify the expense of a hardware firewall, or
> even two? Your call.
Firewalls do not need to be expensive or shiny. An inexpensive PC with
the right software makes a good firewall as I'm sure everyone knows.
I use an old Lex-lite diskless system for ours.
Security in depth is good, the more layers you have the more systems
that have to be compromised to let the bad boys in. Hence for home we
have the firewall PC and then run IP tables filtering on the machines
behind it etc. Strong passwords and no Windows software in the house.
The right software is the key. I'm a believer in keeping firewalls
simple, just run the packet filters and do nothing else. I stopped
using IPcop when they started loading it with "features", I don't need
a GUI to configure IPtables and running one on the firewall just
presents another attack vector. As for spam filtering, that's a mail
server function not a firewall issue. Crashing the mail spool should
not be allowed to bring down the firewall, keep these functions separate.
> I've never heard of Endian. Most of these things are just BSD/Linux
> boxes with some sort of management interface, but that is not
> necessarily a bad thing.
Neither had I, but after a quick peek the hardware looks reasonable and
shiny, without a published price list I'm guessing they are going for
overpriced corporate sales. From the spec sheets it's more a boundry
server than a firewall, spam filtering and spooling, wifi hot spots,
GUI click and guess interfaces, all the "features" I don't want in a
firewall. I'd want to put a firewall between it and the Internet.
For a time now I've had the idea of building a multi server security/
firewall system. A tightly constrained firewall front end, with one or
more back end systems behind it to handle user interfaces and features
like spam filtering or mail spooling. If a backend system fails the
firewall keeps running and could even isolate the faulty unit. Time
and money are as ever the enemy.
--
Bob Dunlop
