For this project, something like a 'datacenter in a box', the budget is $0.
PFSense is one of the front-runners for the moment A On 5/31/13 5:19 PM, Matt Finnigan wrote: > On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey > (bblisa4) <[email protected] <mailto:[email protected]>> wrote: > > > Be aware, that for a security device, you're not supposed to run it > as a VM, just because you might be vulnerable to hypervisor attacks > and so forth. But as long as you take that into consideration - I > do it myself. > > (Sorry, Ned, meant to reply on-list, but just replied to you.) > > That's not a very compelling argument. I've been at firms that deployed > VM-based security devices and passed audits. Plenty of vendors have > OVA/OVF versions of their appliances. You have to secure your hypervisor > layer, just like you have to secure the physical environment for > physical hardware devices. > > Aaron - not knowing your budget, it's tough to make recommendations. At > my last place, we used these > : http://www.juniper.net/us/en/products-services/security/vgw-series/ > But that's just a firewall, AFAIK - it doesn't also handle remote > access/VPN. > > > On Fri, May 31, 2013 at 5:11 PM, Edward Ned Harvey (bblisa4) > <[email protected] <mailto:[email protected]>> wrote: > > > From: [email protected] <mailto:[email protected]> > [mailto:[email protected] <mailto:[email protected]>] On > > Behalf Of Aaron Macks > > > > I'm going to be setting up a small stand-alone virtual environment > soon. > > My instinct is to make a VM based on iptables and ipmasq to act as a > > gateway/firewall for the rest of the VMs, but it occurs to me that > there > > may now be better virtual firewalls out there. Note that it doesn't > > have to be a virtual appliance that just gets uploaded and booted, > > something installable is fine, but I want something more specialized > > then plain Linux. Does anyone have any suggestions? > > Be aware, that for a security device, you're not supposed to run it > as a VM, just because you might be vulnerable to hypervisor attacks > and so forth. But as long as you take that into consideration - I > do it myself. > > I recommend and use pfSense. (There are others out there, such as > monowall, which I think pfsense is based on, but I prefer pfsense > over monowall.) > > > > Required features: VPN (IPSEC ideally, SSL-based acceptable, PPTP not > > acceptable), port forwarding, NAT, other normal firewall stuff > > For site-to-site, the IPSec is present, and ideal. For mobile > connectivity, IPsec can be used ... but it's not ideal due to > complexity of configuring clients, and difficulty finding good > clients. For mobile connectivity, I would say look at openvpn > instead (or in addition to) the ipsec mobilevpn solution. It's SSL > based. In the pfsense, you can install the openvpn plugin (I forget > what it's called exactly, but if you just look under the installable > modules page, you should find it easily.) Then with a few clicks on > the web interface, you create your CA, you create some users, create > certs for those users, and download the per-user config files and > cert files needed by the openvpn client or tunnelblick. > > > _______________________________________________ > bblisa mailing list > [email protected] <mailto:[email protected]> > http://www.bblisa.org/mailman/listinfo/bblisa > > -- _______________________________________________________ Aaron Macks([email protected]) [http://www.wiglaf.org/~aaronm ] My sheep has seven gall bladders, that makes me the King of the Universe! _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
