[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: design and built a firewall
On Thu, 13 Jun 2002, Brian Candler wrote:
> On Wed, Jun 12, 2002 at 08:18:37PM +0100, kasole wrote:
> > I would like to setup secure transaction between to locations in 2
> > ddifferents cities through internet.
> >
> > The data will take this route:
> > 1. LAN (city 1)
> > 2. FreeBSD or Linux box (city 1)
> > 3. Cisco 3600 c(city 1)
> > 4. Internet cloud
> > 5. Cisco 2600 (city 2)
> > 6. FreeBSD or Linux box (city 2)
> > 7. LAN (city 2)
> >
> > Questions:
> >
> > . Do I have to use special firewall device like Cisco PIX Firewall or I
> > can setup afirewall using FreeBSD box?
>
> That depends on how high your security requirements (and your budget) are.
>
> You _can_ build a firewall and IPSEC router using a FreeBSD box. You need to
> choose between 'ipfw' and 'ipf' (personally I prefer ipf because its NAT
> implementation is cleaner, and because ipf runs on a number of different
> platforms). Both of these now support 'stateful' rules, that is, packets are
> only allowed inbound for a particular connection if a corresponding outbound
> packet has been seen previously.
How an I do that using ipf on freeBSd box
Didier
>
> However, it still needs a great deal of care and experience to produce a
> ruleset which is genuinely secure.
>
> Personally, I think you would be much better with one of the "firewall
> appliance" devices now available. For example, the Netscreen 5 XP/XT is a
> low-cost device which is almost certainly good enough for what you need:
> http://www.netscreen.com/
>
> I have used Netscreen 50's (faster model, 100Mbps performance) and I have
> found them to be very good, including the web configuration interface which
> is actually better than the command line. One box can act as both firewall
> and IPSEC router.
>
> A hardware solution like this is likely to be much more reliable than a PC -
> no hard drive or fans to fail. And they are cheap enough that you can buy
> one extra as a spare in case one does fail.
>
> > . I have control of the 2 routers. What di I have to do in the router
> > config?
>
> Assuming you put your firewall behind the router, then you don't have to do
> anything on the routers themselves. All they have to do is to allow the
> IPSEC traffic through (normally this is ESP - protocol 50 - and UDP port
> 500 for ISAKMP key exchange). If you have no access lists then this will be
> the case of course.
>
> I wouldn't recommend that you try to turn the routers themselves into
> firewalls. Simple access lists (packet filters) do not make good firewalls.
> I believe Ciscos now have some stateful packet filtering capability, but
> it's still not going to be anywhere as good as a device which is designed to
> be a firewall. Remember that Cisco IOS has a not particularly good history
> of security flaws in the OS itself.
>
> Regards,
>
> Brian.
>
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org