IMO you can do a pretty darn good job for a small network with just careful
(non-stateful) packet filtering, NAT, and a little care in the services you
train the users to use.
However...
According to Rusty, the ipchains guy:
"ftp://ftp.interlinx.bc.ca/pub/spf is the site of Brian Murrell's SPF
project, which does connection tracking in userspace. It adds significant
security for low-bandwidth sites."
This may work for you. I haven't looked at it at all, though.
I have actually been wondering if there was an SPF solution in freeware.
Thanks for giving me an excuse to find out. 8) Anyone know if there's a "cut
through proxy"? [1]
And of course as someone pointed out, you can go more secure again and use
FWTK to get a full application proxy.
The argument for commercial and non-commercial is usually won and lost on
support and accountability.
Does this site care if you (or whoever sets up the freeware firewall) get
hit by a bus and can't fix their firewall any more?
Do they care if they have a support issue, and their consultant can't solve
the problem? Where do they escalate it to? The Internet? Faaaaaaantastic.
Do they insist that the solution they implement be "commercially tested",
which is evidence of it's general goodness?
Of course, I am taking no sides on this issue - and I (personally) don't
think that "commercial testing" is proof of anything except good desktop
publishers. Flame elsewhere.
Cheers,
[1] My understanding of this term is: When a packet arrives that is about to
start a new "connection", it is looked at in detail, a bit like an
application proxy. However, once the packet is marked OK, the rest of the
connection gets written into some state thingy and further packets for this
connection are just passed through (basically) an SPF. Very fast. As I
understand it, 'normal' Stateful Packet Filters don't neccessarily do this
unless they need to in terms of opening and closing ports. Then again I
could be wrong.
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Mike [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 15 September 1999 12:57 AM
> To: [EMAIL PROTECTED]
> Subject: Commercial Firewall or not
>
>
> I got a client that has a 30 machine network. Nothing big,
> but they want a
> firewall. I personally am thinking of putting up a FreeBSD
> box with ipfw.
> They of course want to be as secure as possible. Is this
> enough? What are
> the arguments of why to go with a commercial firewall? Or with a
> non-commercial one?
>
> One argument for non-commercial is price.
> One argument for commercial is the extra features it has i.e. stateful
> inspection etc.
>
> Any help would be very appreciated.
>
> Mike
> eEye Digital Security Team
> www.eEye.com
>
> Fingerprint:
> AD0F 16F9 0067 7772 EFA9 996F 9AD2 5F16 A6AF EA7C
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
