[68812] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Rachael Treu)
Wed Mar 17 11:43:55 2004
Date: Wed, 17 Mar 2004 11:24:12 -0600
From: Rachael Treu <rara@navigo.com>
To: Gregory Taylor <greg@xwb.com>
Cc: nanog@merit.edu
In-Reply-To: <200403161701.AA62980310@xwb.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of:
..snip snip..
> As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.
>
> Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through.
>
> The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should
have a firewall. Nicole, holding dominion over this business network and
its critical infrastructure, should _definitely_ have a firewall. ;)
Curses. Budget constraints. Bah.
>what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application.
See above. ;)
The importance of the data is often more and issue of calculating things
like redundancy and storage. A firewall in this case should likely be
regarded as non-negotiable.
Be careful with transparent bridging in lieu of stricter edge filtering...
Also consider the efficacy and reward of firewall logs, application layer
filtering, and IDS integration (in a budget-friendly, open source flavor
of free...) down the road.
ymmv,
--ra
--
k. rachael treu, CISSP rara@navigo.com
..quis costodiet ipsos custodes?..
>
> Greg
>
> ---------- Original Message ----------------------------------
> From: Nicole <nmh@daemontech.com>
> Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST)
>
> >
> >
> >
> > Hi
> > I am looking for a good but reasonably priced firewall for a 40 or so server
> > site. Some people swear by Pix, others swear at it a lot. Also I have heard
> >good things about Netscreen. Or any others you would recommend for protecting
> >servers on a busy network. Don't really need anything with VPN just the
> >standard http, ftp, ssh, https, type traffic up to 100mb throughput.
> > From what I have heard a proxy firewall would be best?
> >
> >
> >
> > Thanks in advance!!
> >
> >
> > Nicole
> >
> >
> >
> >
> >
> >--
> > |\ __ /| (`\
> > | o_o |__ ) )
> > // \\
> > - nmh@daemontech.com - Powered by FreeBSD -
> >------------------------------------------------------
> > " Daemons" will now be known as "spiritual guides"
> > -Politically Correct UNIX Page
> >
> >
> >
