Lisa,
not to knock your extensive experience with commercial equipment, but
I've often found such to be
more trouble than they are worth. Now, I am not an "ordinary computer
user" like most. I tend
to go with what works with a minimum of overhead on a powerful machine
(900Mhz CPU. OpenBSD 4.2
and pf firewall and 3 NICS <one as DMZ>).
1 rul of thumb I have, if a service doesn't need to be on the firewall,
THE DON'T INSTALL IT THERE!.
VPN, DNS, TOR, any of these should never go on a firewall (its one of
the reasons why a home or
commercial devvice will fail, its a security risk). I don't even like
wobservers on firewalls. I like having an internally
facing ssh or telnet server (I did say internally facing) and pf is very
nice on rulesets 9its more easy to learn
than iptables/ipchains).
Now, I know I don't have the level of experienience you do, but from my
point of view, I find that unless
I am rich, I simply cannot afford the expensive equipment (corporate
level stuff) not can I afford the cheapo
off the shelf crapola at best buy. Given the choices, I'd rather build
me own.
anyway, thats my 2 cents worth on this subject. :)
Lisa Kachold wrote:
> Hi Mark,
>
> As a technical professional, I have weighed the benefits and costs of SOHO
> "routers" against what can be expected in production equipment.
>
> I find that the stability, functions and maintenance of most of these
> LinkSys and Netgear devices are not worth the cost; generally they must be
> tinkered with extensively, rebuilt and upgraded to even partially work.
>
> I have had a couple of Netgear and LinkSys firewalls, including VPN so
> called "Small Business" firewalls. I have built my own firmware, added
> second party firmware, WRT and studied extensively the image and
> configuration when the devices fail. I find there are extensive security
> issues inherent in most of these devices that allow them to fail over under
> distributed packet assault and allow one of three things to happen: remote
> access, firmware upgrade or management via http on wan side. NOTE: I have
> not evaluated dlink or other manufactures offerings.
>
> Here's an at a glance comparison of home broadband "routers":
> http://compnetworking.about.com/od/broadband/tp/dslcablerouters.htm
>
> While I strongly liked OpenWRT, because I essentially had a sweet little
> linux system, I did not find that the security features were robust enough;
> no IDS function was available for real time packet inspection (like in a
> ProSafe LinkSys Business Router); no VLAN or IPS features. Configuring the
> firewall, while easy for me might not have been so easy for another since
> extensive inbound and outbound rules needed to be set via IPTABLES. And
> when I was done, the OpenWRT ssh and distributed networking STILL was not
> able to withstand a distributed DoS with low level fuzzing attack - again
> falling over and allowing escalated privs.
>
> With that said, I strongly suggest that you completely sidestep "home"
> versions and look at small business products.
>
> Cisco has some new offerings that should perform better and include some
> suite functions:
> http://www.infoworld.com/d/storage/cisco-delivers-security-storage-uc-small-business-624
>
> Also, you do realize you can just get yourself a used Cisco 877 ADSL or ASA
> 5500 (do you already have an ADSL modem too) and have a VPN via Cisco VPN
> client that works with Linux well:
>
> http://www.pcmall.com/pcmall/shop/detail.asp?dpno=562971&Redir=1&description=Cisco-877%20ADSL%20Security%20Router%20Wireless%20802.11g%20FCC%20compliant%20+%204-port%20Switch-WAN%20Routers,%20Gateways,%20etc
> .
>
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)