North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Merits of purpose-built (appliance) vs. FreeBSD+ipfw firewalls
- From: dre
- Date: Thu Jan 16 19:10:35 2003
On Thu, Jan 16, 2003 at 03:17:44PM -0800, Josh Brooks wrote:
> I am looking for comments and suggestions regarding the merits of
> purpose-built, appliance style firewalls (like a netscreen or Cisco
> PIX) vs. running ipfw on a commodity server running FreeBSD.
There is really no benefit to purchasing a vendor-built firewall
when the real problem is protecting the servers' tcp/ip stacks and
the applications above them, as well as all the infrastruture in
between (routers, switches, whatever).
Do yourself a favor and spend half as much as you would on firewalls
and invest in a packet capture infrastructure to identify exactly
what types of attacks you are getting.
I believe the beta version of ipfilter allows you to specify bpf
logic to block packets. So just configure up each *BSD host with
bpf-enabled ipf filters that block the traffic you earlier identified
with your packet capture infrastructure (and if you are using
libpcap based tools, you are probably already using bpf to match
For legitimate attacks, I suggest buying more bandwidth and scaling
your infrastructure appropriately. It also helps to report your
findings to others, especially the network and security communities,
the places of attack origin (even when spread out), and the transit
networks involved in passing along the attacks (especially your
It's also considered nice to block outgoing packets which match
the attacks you've seen, even if you believe your infrastructure
to be impenetrable.
However, if done right or wrong, any vendor-based or commidity *BSD
solution can be less or more powerful than any other solution.