Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
dre
andre at operations.net
Fri Jan 17 00:07:18 UTC 2003
On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks wrote:
>
> I am looking for comments and suggestions regarding the merits of
> purpose-built, appliance style firewalls (like a netscreen or Cisco
> PIX) vs. running ipfw on a commodity server running FreeBSD.
There is really no benefit to purchasing a vendor-built firewall
when the real problem is protecting the servers' tcp/ip stacks and
the applications above them, as well as all the infrastruture in
between (routers, switches, whatever).
Do yourself a favor and spend half as much as you would on firewalls
and invest in a packet capture infrastructure to identify exactly
what types of attacks you are getting.
I believe the beta version of ipfilter allows you to specify bpf
logic to block packets. So just configure up each *BSD host with
bpf-enabled ipf filters that block the traffic you earlier identified
with your packet capture infrastructure (and if you are using
libpcap based tools, you are probably already using bpf to match
on packets).
For legitimate attacks, I suggest buying more bandwidth and scaling
your infrastructure appropriately. It also helps to report your
findings to others, especially the network and security communities,
the places of attack origin (even when spread out), and the transit
networks involved in passing along the attacks (especially your
upstreams).
It's also considered nice to block outgoing packets which match
the attacks you've seen, even if you believe your infrastructure
to be impenetrable.
However, if done right or wrong, any vendor-based or commidity *BSD
solution can be less or more powerful than any other solution.
dre
More information about the NANOG
mailing list