[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: design and built a firewall



On Wed, Jun 12, 2002 at 08:18:37PM +0100, kasole wrote:
> I would like to setup secure transaction between to locations in 2
> ddifferents cities through internet.
> 
> The data will take this route:
> 1. LAN  (city 1)
> 2. FreeBSD or Linux box (city 1)
> 3. Cisco 3600 c(city 1)
> 4. Internet cloud
> 5. Cisco 2600 (city 2)
> 6. FreeBSD or Linux box (city 2)
> 7. LAN (city 2)
> 
> Questions:
> 
> . Do I have to use special firewall device like Cisco PIX Firewall or I
> can setup  afirewall using FreeBSD box?

That depends on how high your security requirements (and your budget) are.

You _can_ build a firewall and IPSEC router using a FreeBSD box. You need to
choose between 'ipfw' and 'ipf' (personally I prefer ipf because its NAT
implementation is cleaner, and because ipf runs on a number of different
platforms). Both of these now support 'stateful' rules, that is, packets are
only allowed inbound for a particular connection if a corresponding outbound
packet has been seen previously.

However, it still needs a great deal of care and experience to produce a
ruleset which is genuinely secure.

Personally, I think you would be much better with one of the "firewall
appliance" devices now available. For example, the Netscreen 5 XP/XT is a
low-cost device which is almost certainly good enough for what you need:
http://www.netscreen.com/

I have used Netscreen 50's (faster model, 100Mbps performance) and I have
found them to be very good, including the web configuration interface which
is actually better than the command line. One box can act as both firewall
and IPSEC router.

A hardware solution like this is likely to be much more reliable than a PC -
no hard drive or fans to fail. And they are cheap enough that you can buy
one extra as a spare in case one does fail.

> . I have control of the 2 routers. What di  I have to do in the router
> config?

Assuming you put your firewall behind the router, then you don't have to do
anything on the routers themselves. All they have to do is to allow the
IPSEC traffic through (normally this is ESP - protocol 50 - and UDP port
500 for ISAKMP key exchange). If you have no access lists then this will be
the case of course.

I wouldn't recommend that you try to turn the routers themselves into
firewalls. Simple access lists (packet filters) do not make good firewalls.
I believe Ciscos now have some stateful packet filtering capability, but
it's still not going to be anywhere as good as a device which is designed to
be a firewall. Remember that Cisco IOS has a not particularly good history
of security flaws in the OS itself.

Regards,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org