Re: Firewall: dedicated equipament x Unix workstation

[Matthew Patton <patton () sysnet net>]

I don't have much to add to the experts' commentary but an appliance often
does not provide you the customer with any access to full source or the
precise details of what is going on inside, whereas a unix distro with
source, say OpenBSD does. As a matter of convenience and as a marketing
differenciator, many include managment programs like built-in web servers
or java clients which introduce their own potential issues. I guess it
boils down to how much inhouse knowledge do you have and how trustworthy is
your vendor. I personally prefer the crystal box approach.

My firewall requires precisely one 1.44MB floppy (actually less) to
operate. Local disk is optional and is used strictly for logging with flags
SAPPND and securelevel=2. It's built entirely on freeware and trash (486/66
EISA computer with lots of NICs) the IT department deemed useless. It
doesn't even tickle the CPU with 10Mbit ethernet, let alone a T1. As
currently configured there are no userlevel endpoint services on it though
putting bind on would be quite easy. Remote mgmt is via SSH on the internal
interface only or optional serial line. It won't stop anything a packet
sniffer can't (eg. protocol attacks) but it does a fine job nonetheless and
costs thousands less than any Cisco router or PIX or Checkpoint's favorite
solution.

--------
The spark of the revolutionary war, the battle of Lexington and Concord,
was prompted by the ruling government's attempts to confiscate the
"assault weapons" of the day held by local militias.