Being a person who has managed to utilize open source applications at
every position he has held in the last ten years, let me say.
The problem with getting people to accept open source, is showing them
that they really are getting something for nothing.
An example, at a previous position, we were looking for a good SPAM
solution for a clients Windows 2003 SBS system. After a little
research, we had two solutions that appeared to us to be good paths. X
wall (http://www.xwall.us/) which at the time ran about $500 for their
SMTP proxy filter application. And ASSP (http://assp.sourceforge.net/)
a free open source Bayesian filter SMTP proxy (very much like X wall).
It came down to 3 folks who understand open source, have contributed in
the past, and know their stuff inside and out, versus two folks who
thought we were crazy and having the wool pulled over our eyes and that
we were buying in on a scam.
They couldn't understand that we could get a comparable product for
free. We configured both and gave them a test and got very similar
results.
It took us over 3 months to convince one of the people that OSS products
were reliable, feasible, and responsible. One of the guys agreed that
ASSP was a good product but required similar convincing before even
looking at OSS products in the future.
Yes sometimes there is such a thing as a free lunch.
-----Original Message-----
From: Mike Thompson [mailto:mthompson@brinkster.com]
Sent: Friday, June 10, 2005 10:43 AM
To: Joseph (Joe) Lynn; firewalls@securityfocus.com
Subject: RE: Open Source vs Proprietary
Do people just buy firewalls because they can't be bothered to
learn to set up Open Source systems, or is there more to this that I'm
missing?
I think the answer the would be most asked is what are the needs that
you are trying to fill. If you have the time and are not worried about
PPS.One things it guys get stuck on is not the whether or not you can
but should you?
If I am managing a IT department or I am the CTO, CEO or CIO then I
want the most secure, least time consuming product in place to meet my
needs. I don't wouldn't care about the pride of the IT guy because he
wants to do something new. You can order, install and provide confidence
by installing a PIX. At least there is corporate accountability. Your
time has a price on it too.
If this is about academia then yes people should learn how. But if this
is business, chances are the IT guy is not going to make the decision on
where his time is spent.
I have a general rule if any thing is inline the I go with something
that is disk less and ASICS based. If I want to Do something that is not
mission critical you have the extra time to spare and I can afford to
have down time then I go with the pc based products.
Mike.
________________________________
From: Joseph (Joe) Lynn [mailto:Joe.Lynn@tiniusolsen.co.uk]
Sent: Thursday, June 09, 2005 12:33 AM
To: firewalls@securityfocus.com
Subject: Open Source vs Proprietary
Hi all,
Sorry everyone, forgive my ignorance, but I'm still a bit confused on
these issues - I don't understand why anyone would buy a firewall that
has a cost associated with it rather than just taking a bog standard pc
and installing an open source firewall on it, such as IPCop or OpenBSD
PF.
From the responses to my post about IPCop and the messages about
OpenBSD, it looks like these options are as secure as you're going to
get.
Perhaps it might be easier to configure proprietary firewalls, and they
might give better logging and analysis options, but presumably,
certainly with IPCop, and I would assume, with OpenBSD, you can find
adequate Open Source options that will provide any of the functions that
the other firewalls do (with the exception of ISA2004, which sounds like
it works with the applications rather than the packets....) - like e.g.
snort.
Do people just buy firewalls because they can't be bothered to learn to
set up Open Source systems, or is there more to this that I'm missing?
Many thanks,
Joe
