On Fri, Feb 13, 2015 at 6:45 PM, Rafael Possamai <rafael@gav.ufsc.br> wrote:
I am a huge fan of FreeBSD, but for a medium/large business I'd definitely use a fairly well tested security appliance like Cisco's ASA.
Or maybe Juniper, Cisco's Ironport, IPSO? They are all FreeBSD based, big and large critical networks ready. FreeBSD's ipfw codebase exists for longer than most commercial products you somehow believe to be more mature. So, FreeBSD's firewalling code at least, as well tested as commercial vendors products.
Depending on the traffic you have on your fiber uplink, you can get a redundant pair of ASAs running for less than $2,000 in the US.
For this traffic rate the best part on a commercial product is just irrelevant: good specifics hardware. Whatever can be done with a USD 2K Cisco based solution can be done on cheap low capacity x86 hardware with FreeBSD.
I just find it less stressful to use a solution like ASA rather than worrying about patching your kernel every so often and worrying about possible vulns in the ipfw/pf codes.
One does not need to svn update, build kernel, build world if he does not want to. It's just a matter of adding freebsd-update to crontab (or having you own manual updating cycle in place).
That, and you have to make sure EVERYTHING is taken into account when you create your rules, which requires some intense knowledge on either ipfw, pf or both.
Another point I am completely inclined to disagree. My team is made up of junior level, trainees, to +20yr experience professionals. There is absolutely no relevant learning curve for someone who has configured a Cisco or Juniper firewall to a PF or IPFW firewall. If the guys comes from a Linux background he finds ridiculously simple to have a PF firewall up and running, after all for someone used to that weird iptables syntax and semantics, a firewall where rules are linear and natural syntax are a piece of cake. For new professionals, they quickly learn PF/IPFW better than Linux or Fortigate which is another product we also have in place (heterogenous / mixed team and technologies here). The tool is just the tool, it should a matter of what the tool can or can not do, but not a matter on how to use it. Cisco ASA and PF are completely different animals, sure, but learning 'em from scratch or coming from other animals like Linux or Fortigate is straightforward. While products like fortigate have a nice GUI interface, it's just limited and low productive. My team tendo to configura fortinet on CLI, and guess what? Fortinet team are usually joked by BSD team when they see someone using Fortinet cli. It just takes 5 times more to configure several "edit" blocks, creating objects, putting it all together to have a simple firewall rule in the end, when the BSD guys do a one line rule with macros and tables sorted all for equivalent "object" advantages. Nobody cares for GUI in my team, but if a fancy GUI is required they send pfSense screenshots for the Fortinet guys just to keep the making fun... I strongly believe in the idea that open source has it's place and commercial products have their place on different scenarios and requirements. And in this scenario Mr Andy is asking about, IMO there's no reason not to go with open source BSD. Specially because he seems already familiar with FreeBSD. I am not an expert in intrusion detection, so with regards to that, I'd
just setup a honeypot and monitor activity. You can also regularly run penetration tests on your own network and see how well you are protected. Just make sure the appropriate people know about these tests so you don't get wrongfully reported.
Not the same thing, same goal or same results.
Rafael
On Fri, Feb 13, 2015 at 11:40 AM, Andy Ringsmuth <andy@newslink.com> wrote:
NANOG'ers,
I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company.
We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
Initially, what do people recommend for:
1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking
Thank you all in advance for your wisdom.
---- Andy Ringsmuth andy@newslink.com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular