wow, that's quite a bit. Thanks for the comprehensive reply. Indeed I will take a look at those books that you reccomended. The problem is that I'm a college student living on financial aid, so I don't really have money to buy it, but I will try to find it in the library.
I talked to my client again today, and told him that pfSense would be the best bet. I did actually look at a commercial solution (more than one, really), some thing from D-link, and I told him the price: $6999. He proposed that he just buy 4 firewall/routers (like the little netgear things) and hook them up. He claimed it would be cheaper for him because, at about $50 a piece, it would only set him back $200. I guess he firgued that an integrated box (like a WRAP or one of the more powerful ones, most likely) would cost more than that. I haven't verified, so don't hold me to supporting that. Like I said before, it sounds simple, inelegant, and wasteful. As for preventing viruses from spreading by separating everything. > The problems don't arise from the things you block, but from what you > let through. Indeed, truer words have not been spoken. I think, though, what he is more worried about is damage control. Like compartmentalizing a ship, if one part floods, they can close off that section to keep the whole boat from sinking. So if his kids accidentally get a worm (they're only about 3 years younger than me, and very computer literate) it doesn't ruin his business. Besides, email is more of a threat on the business side, than the kids' side. Though, I guess VLANs would be affected by the high levels of traffic. Well, anyways. Thanks very much for your help. I think I'll try to read those books before I continue on this. I've plenty of other things to work on that I am better at for the time-being. His firewall solution for now does it's job. Anthony ----- Original Message ----- From: "Rainer Duffner" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, February 01, 2006 4:03 PM Subject: Re: [pfSense-discussion] Clients... ugh > DarkFoon wrote: > > >Hmm. You have talked a little over my head... (I do not know what dot1q > >trunking is, and I have a vague memory of what layer 2 is... *eep*) > >Anyways > > > > > >>an individual broadcast domain per segment. Maybe > >>that is what he wants and/or I'm overlooking something. > >> > >> > >I don't think my client would know what that means. (I only have a vague > >understanding) > >Networking isn't my strongest point. So, I'm learning a whole lot right now. > > > > > > > > > That process never stops in this business. > > > >From what I've looked at, it would seem that a pfSense box best suits my > >client. I haven't looked at prices for the commercial solutions, but it > >would appear that even some of the lower-end ones lack some features I need, > >and are rather pricey. > > > > > > > > > If firewalls with VLAN-capabilities could be had at WalMart, Netscreen > wouldn't charge the equivalent of a small house for their top-end gear. > You will also find it next to impossible to find an online-pricelist > for, say, Checkpoint's Firewall One. > (It's also doubtful you would be able to grasp its complexity, I'm told...) > > > >But I'd like to understand one thing first, on the firewall page under > >pfSense, can I assign different rules for each interface? > > > > > Yep. > Even the most humble > "Joey-designed-a-linux-firewall-gui"-freshmeat-of-the-week project can > do this ;-) > You should checkout freshmeat - there must be hundrets of mostly > one-shot attempts at creating a GUI for the Linux-firewalling-commands > (which change every release) and none of them can match or even come > close to pfSense. > > > >See, allow to explain why my client wants the separate ports. His office > >network will soon have a domain server with the roaming profiles > >bells-and-whistles and he wants that to not affect any other computers on > >the network(I don't think it will). But more importantly, he wants his > >business network separate from his kids' network (that's my nickname for it) > >in case one of them contracts the Windows XP "Worm of the Week" and it > >starts spewing infected packets all over the network (like Sasser, if I > >understood that one correctly) and infects/crashes his business portion. At > >least the last part makes sense to me. (I personally use windows ME, so I > >avoid all those things by obscurity.) > > > > > > > > Good idea - pfSense can do that easily. > But you need a switch that can do VLANs, too. > (Nowadays, even the cheap Netgears can do it, you don't have to buy an > expensive "core"-switch for that anymore. > But firewalls don't protect from stupid users. Or only to degree. > If a worm is well spread within a network, it can quickly overwhelm the > firewall by creating hundrets of thousands of connections to the internet. > SQL-Slammer even brought down switches and whole ISPs. > Also, if the worm spreads via email (which you are probably going to > let through), the firewall is not going to help much. > > The problems don't arise from the things you block, but from what you > let through. > > > >And one final curious tangent, does pfSense support tar pits? That idea has > >intrigued me since I first heard about it. Last time I checked, though, the > >maintainers said that somebody was free to write a plugin for it. I have no > >programming knowledge (yet). > > > > > > > > > You can limit connections per second. > But IMO, this function is best left to a real mailserver. > > > > >For clarification I'll explain basically what my client's network network > >topography will look like (or what he wants it to look like) > > > > > > > > ___OFFICE > >NETWORK > > | > >WAN -->(modem)--->(firewall/router)=|___(Forum Webserver/VPN login server)* > > | > > |___KIDS > >NETWORK > > > >* perhaps I should seperate these two things onto their own machines and own > >seperate interfaces. > > > > > > > > > See, I'd really advise you to read some books on the subject of > firewall-design > Like the one from O'Reilly: > http://www.oreilly.com/catalog/fire2 > > (over books from http://security.oreilly.com/ are also useful) > > > The wikipedia-page on this subject: > http://en.wikipedia.org/wiki/Firewall_%28networking%29 > > is really only a glimpse at the situation. > > > > >Each fork I've shown (I bet that diagram doesn't even show up properly on > >anyone's email client but mine) should be "seperate" from the others to > >prevent a virus/worm spreading from one to another (or a hacker? as my > >client fears). It sounds like I'd have to seperate them by using vlans. > > > > > Yes. But then, the transfer-speed between the segments is limited by the > firewall-backplane-speed. > If you've got a WRAP, it's 20 Mbit. > If it's a full-blown PC, it's between 100Mbits and GBit. > > > > The > >only way I could think of doing it physically is by using a firewall for > >each fork, and having one plain router splitting the connection amongst > >them(this sounds cumbersome, stupid, and spendy) > > > > > > > > Yup. > Or a firewall with many interfaces. > Or VLANs. > Again, there is a lot of consideration involved in all these "details" > Usually, unless the webserver needs data from an internal source, I'd > move it to a colo or use shared-hosting @ some ISP - it's usually not > worth the effort to host it yourself.... > LAN is only LAN, services that need access from both inside and outside > are better moved to the DMZ (or use some sort of proxy-solution in the > DMZ... > > > > >One last thing, do the barebones appliances have gigabit ethernet? Or is > >that feature usually rare? > > > > > > > > That depends entirely on the amount of money you are prepared to spend. > > > > > cheers, > Rainer > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 2/1/2006 > >
