[TCLUG] Re: Floppy based firewall

[Scott Dier]

* Leif Hvidsten <leif at mn.rr.com> [011231 23:43]:
> into the external service access feature.  Be sure to check out the Special
> Edition ISO that just came out on Dec. 21st.
> http://www.smoothwall.org

I decided to ignore these people from now on because they have the
mindset that the founder put in so much money into making Free Software
that people should be nice and never critisize their ways. (phone-home
registration, their methods of dealing with some idiot who claimed they
were breaking the gpl and then saying all linux geeks are like that and
they are better than them, etc)  I got sick and tired of it and decided
to absoultely not tell people about the project anymore.

Oh, for a while one of the updates turned the web-config interface into
nagware.

It's nice to contribute, but if your basing your business model on
something and then bashing the community because they poke at your
business model and ways its not worth being nice and promoting their
'product'.

I work daily with our Lucent firewall, its got faults, but it still has
more flexable firewalling and IPSEC based VPN support.  They use
FreeSWAN for their IPSEC implementation, and unless they are doing
anything special, the only decent way to put stuff out with freeswan is
using a PKI/x509 style setup.  With someting from Lucent or Cisco, you
can use a certificate to ensure that the server is who they say they are
and then use RADIUS, which is more deployed and much easier to manage
than PKI is yet. (until there is better smart-card-ish stuff
*everywhere* and a few other things...)

Most of what they are trying to sell to people as a product is freeswan,
linux ipchains, squid, snort, and a few other things i cant remember,
with a nifty frontend.  Their only real IP is the intergration work and
the web based frontend.

Of course, they want to put this into the hands of businesses that have
no idea about their risks, and just want to save some money.  Of course,
there are VARs out there, but thats going to cost too much for these
sorts of users.  These are the sorts of users who will put this up,
forward their IIS server through it, and then declare their servers
'secure' because they are protected by a firewall.

So, the 'hard' part in this buisness is presenting a frontend that
doesn't expose the users to anything, and helps them in more than just a
firewall, but also somehow notifies and helps them test their exposed
machines with them and helps them secure them too.  Perhaps a
subscription based service to provide the updates, etc.  Something a bit
more turnkey, and a bit less of mapping files to a configuration
interface, but allow experts to dive right in and torque things.
Perhaps even remotely if possible as part of a 'managed security' setup.

I really like this idea of the helping users test their exposed services
though, it can be automated, and the tests that come up true can point a
user directly to what they need to do.

And if a problem is really bad and the machine detects it (worm
propagation, odd behavior, etc.) allow the machine to filter outbound
from the hosts being protected.  This would be a 'hard' filter to write,
methinks.  And 'harder' to implement in software and keep any sort of
scalabilty and relevant reaction time.

Oh well. that was a long rant.  

Yikes they even use popups on their website now.

But yeah, its not 'securing your digital world'  its just helping you do
the basics of security, and even then you can push a knob the wrong way
and not know if your really secure anymore or not. I would put a book
refrence here, prefreabely written for somewhat normal computer users
and easy enough for allmost anyone on this list to understand that talks
about how to evaluate your risks and security policy, but I don't know
of a good one offhand.  Anyone know of any good network and machine
security books?  Preferably network ones and more based on the risks and
less on what osen are on your network.

Thanks.

-- 
Scott Dier <dieman at ringworld.org> http://www.ringworld.org/

...one of the top CBS reporters here in the Twin Cities, came up to me and
said, "Governor." Here was her question: "How do you respond to some people
who say you're spending too much time on state security and not enough time
on Major League Baseball and the Twins?"
	-Jesse Ventura, Salon interview 12.17.01
	  on why he thinks media are jackals and his partial
	  justification for ignoring the 'baseball issue'.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020101/7277c8d2/attachment.pgp