For the stated requirements, I'd tend to go with OpenBSD, largely
because the features you're asking after are well-documented and
extremely mature. I particularly appreciate the functionality in pf
that provides a great deal of IP stack protection (e.g. fragment
reassembly and synproxy, where the latter can also help with plugging
covert channels via TCP SEQ/ACK IDs) in a stateful firewall. For high-
availability, pfsync, carp and OSPF are a very nice stack on the front
end, while there's ample functionality to provide load-balancing on
the back end. Solaris has plenty of networking features for load
balancing and HA, but I'd tend to think that the firewall features in
OpenBSD are somewhat more compelling. Not sure exactly what you need
with respect to VPNs, but there's quite a lot OpenBSD can do in that
department. For IDS/IPS, I'm not current on all the tools in the area,
but I'd expect much of the code to be fairly portable, with some
weight in OpenBSD's favour, given its long-standing strength as
manageable and secure platform.
I'd really like to see pf and friends ported to OpenSolaris, although
I gather that the refactoring of the IP stack away from using the old
streams-based approach will make this a challenge (or so I've gathered
from reading up on where the ipfilter port is headed). There's quite a
bit of work being done in the -current release of OpenBSD in
anticipation of thte 4.7 release, so perhaps that might be the code to
port once it's released. It would be nice to see come cross-
pollination between the platforms (port pf to OpenSolaris, port DTrace
to OpenBSD and maybe ZFS, although as CDDL ports, they'll never get
into the core distribution, which is strictly BSD-licensed, which is
much of the reason that ipfilter ended up being replaced).
Am 5 Jan 2010 um 14:48 schrieb carlopmart:
> Hi all,
>
> I need to deploy a new perimetral security infraestructure to
> install the following services:
>
> - High availability and load balacing firewalls
> - VPNs
> - IDS/IPS
>
> My first choice to install this scenario is to use openBSD, but will
> be possible to do this with opensolaris?? The mos important point is
> high availability features ...
>
> Thanks.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> opensolaris-discuss mailing list
> opensolaris-discuss at opensolaris.org
