Date: Fri, 15 Oct 1999 13:13:25 +0100 From: "Joe Pepin" <joe_pepin@ins.com> To: <wwoods@cybcon.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: RE: Need help in reccomending FreeBSD.... Message-ID: <NDBBJMHAKKLLMBFNMKDDAEEFCHAA.joe_pepin@ins.com> In-Reply-To: <Pine.LNX.4.10.9910150935530.2145-100000@maximillion.sscsinc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
An approach I have used goes something like this. (First, validate their opinions) NT is a great OS for end users, it certainly provides enough security (etc) for our end-users requirements. However, this firewall application is not part of user-space at all, and all of the extras that we pay for with NT (such as the gui, and all of the built-in web browser stuff) really goes to waste on a network appliance such as a firewall. With an NT solution we need a monitor and mouse and keyboard and access to the console for any maintenance. With a FBSD solution, we would be able to easily strip out any unneeded components, saving memory and such, meaning we have to buy less of a machine, and we can boot it off of a dumb terminal, who needs a VGA monitor for a firewall? Also, the ability to securely administer the box remotely is a big plus. With only ssh running on it, we can safely admin it from anywhere, in the middle of the night. If we ever decide to move the box to a colo then we'd be all set. Sure, Unix isn't as friendly as NT and whatnot, but like I said, this isn't user-space. A well setup BSD firewall will require far less in terms of security patching, and we have much better accountability for what is actually running and what isn't. (maybe a veiled mention of the NSA key, and a hint at how that type of thing is impossible in BSD) NT is designed as a multi-purpose OS. Unix easily allows us to tune our box into a specialized firewall-only piece of equipment, without the overhead of 'Active Desktop'. Point out that a Stable Release of FBSD need not ever be upgraded (beyond occasional patching), and that there are plenty of production 2.X machines out there, because there's no need to fix what isn't broken. And when the 'support' issue comes up; That may have been the case as little as year ago, but I can assure you that now, today, we would have no problem finding someone with Unix expertise that would be HAPPY to run this should I get hit by a truck. And security consulting firms have a great deal of experience in dealing with FBSD, OBSD and BSDi boxen. Now, if you actually BRING the box. Do a ps ax, and say, there, that is EVERYTHING this box is doing. Every little thing. And tell him what each of those programs is. Ask someone to do the same with NT. They can get task manager, but not even an MCSE knows what all of those executables is doing. Demonstrate upping an interface, downing it, changing it's address and upping it again. Do it a few times. Show them how easy it is, and how it doesn't crash. Throw five NICs in the box and boot it, show them what it means to live without IRQ conflicts. Additionally, point out that with Tripwire, Snort and Swatch you can have very effective and FREE intrusion detection. An EXPENSIVE option in the NT world. Show them the output of nmap -sT -sU -f -O on an NT box and an FBSD box. There. HTH And, yes, some of this is s little on the BS side, but that's the way to play the game. /ASBESTOS SUIT ON I want to take a small line to say that might want to consider OpenBSD for this, IPF is nicer IMHO, and OBSD has a working IPSEC implementation which could possibly be a big selling point. /ASBESTOS SUIT OFF Sincerely, Joe Pepin ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= Joe Pepin Network Systems Engineer Security Practice Lucent Technologies NetCare Professional Services http://www.lucent.com/NetCare The views/opinions expressed above are not necessarily those of my employer, but they probably should be. ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= > At 2:30PM (West Coast Time) I am going to a meeting at > work with the Head of Computer Security, 2 NT Admins and two people in charge of the project I am working on. I am wanting to propose, that instead of useing a > Microsoft Firewall solution, we use a FreeBSD box as a firewall solution. This is not for mission critical info, so I feel I have a good chance of getting this. I also have lined up the 2nd in charge of our *nix dept to help me set up and maintian (I can do it, but it always looks better to have a "higher up" to validate you) the firewalls. > > What I would like from the list, is some REAL WORLD valid reason why FreeBSD should be used over a MS firewall solution. > > We are a MS shop, no doubt about that, so this will be an uphill battle, but I believe that with the right info, I can get FreeBSD as the firewall. Aside from the fact that FreeBSD will cost less to set up, will allow us to use that old P100 we have put on the shelf > and will cost less to maintain.....can you people supply me with some more valid reasons to go with FreeBSD over MS? > > And, yes, I know ftp.cdrom.com and yahoo.com all use FreeBSD, as well as MS Hotmail service, but I am looking for some corporate types out there who had to convince their bosses that FreeBSD was a better choice to help me on this. > > Thanks, > > Bill > > William > *************************************************************************** > > It's time for E*TRADE (SM) > Get your free @etrademail.com address at http://www.etrade.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBJMHAKKLLMBFNMKDDAEEFCHAA.joe_pepin>