On Fri, Apr 28, 2006 at 09:10:23AM -0700, Damien Dinh wrote:
IMHO, I would personally stay away from re-commissioned hardware to be
used as a primary perimeter protection device. The availability
component of the CIA triad will surely be impacted through hardware
failure.
I personally like to use new, reliable hardware. However,
that knife cuts both directions. For example, if that hard drive
(if I'm using one) fails on a Linux (or OpenBSD!) server, it's
pretty easy for me to grab a new one and roll out my last backup.
With the Cisco, if that hardware fails, I'll more than likely
be ordering and waiting for the new unit. That's not to say you can't
by a backup for either solution. Then you just setup "heartbeat"
(http://www.linux-ha.org/) between the primary and backup. Anyways,
that's outside the scope of this conversation.
Additionally, configuring IPtables and OS hardening can be
time consuming and an ongoing headache because you have to check the
There is a learning curve, I agree. Distro's like Gentoo
or Slackware make it pretty easy to install a very minimal set of utilities.
I also like Gentoo as it allows me to add hardened kernels (pax/grsec)
and build from source with stack protection (pro-police, etc).
rules frequently due. OS updates add complexity as well.
emerge -u system
I'd guess that iptables rules, once set, change about as much
as a Cisco install.
Your best solution is to get a PIX 501 ($300-$400); it does full
stateful inspection (same function as their enterprise fw) with 4
interfaces to section out your network. It even has VPN.
Let me state, I'm not knocking Cisco products! It largely depends
on what the end user needs and/or may want in the future. There's plenty
of VPN support under Linux. Let also not forget things like aide, snort,
BASE (acid) and mucho security related utilities that can be installed.
I have used this product for branch offices of up to 50 users and it's
pretty much set and forget (almost - need to updates code once in a
while). Cisco has an awesome forum on their site that product
developers and CCIE frequently answers any questions you may have.
And the same for Linux (forums/etc). I think it really boils down
to what the end users needs and his expertise is. If OpenBSD/Linux appear
to be to much of a learning overhead, then I'd definitely recommend Cisco
gear.
--
Champ Clark III | Vistech Communications,Inc. | 850-942-0388 x 101
http://www.vistech.net
GPG Key ID: 58A2A58F
Key fingerprint = 7734 2A1C 007D 581E BDF7 6AD5 0F1F 655F 58A2 A58F
If it wasn't for C, we'd be using BASI, PASAL and OBOL.
pgpLPs4W11KYf.pgp
Description: PGP signature
