[Chugalug] OT: Favorite Enterprise Firewalls?

Dave Brockman dave at brockmans.com
Thu Apr 18 02:50:16 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/17/2013 4:42 PM, Jason Brown wrote:
> On 04/17/2013 10:42 AM, Dave Brockman wrote:

>> to buy that second $20k, $40k, $80k unit however.  And often
>> "support" with firewalls is not actually support, but
>> subscriptions to their Anti-virus signatures, Anti-SPAM
>> signatures, IPS/IDS signatures, botnet traffic filter licenses,
>> etc etc etc.  Did you see support in that list? Me neither.
> Yep, support is in that list, from the linked page: A support 
> subscription provides you with 24x7x365 direct access to the
> pfSense team with guaranteed response time for all your
> firewall,.....

I was actually referring to the "Enterprise" competitors there....

>> A much wiser man than myself once told me this:  "I can decrease
>> your downtime directly proportional to the size of your wallet,
>> it's up to you and your wallet to determine how much downtime you
>> can actually afford."
> This is ABSOLUTELY true! But in my opinion the approach to 
> infrastructure design is much more important than the vendor /
> hardware. If you are going for more than "three nines" then every
> part of the infrastructure should be redundant. If that means that
> it costs less for one, you can buy two, or four.

We are in agreement here.

>>> For those people that want it, pfSense also provides the 24/7
>>> support at a reasonable price. I have not used it personally. 
>>> https://portal.pfsense.org/index.php/support-subscription

More than one of us on this list [can|have|do] provide support for
pfsense as well.  Same holds true for Cisco as well though :)

> Agreed, sometimes there are shortcomings. I wasn't aware that
> connecting overlapping subnets was possible (reliably) with any
> product? Perhaps I am misunderstanding?

Cisco kit has done it for ... at least 15 years.  And I mean
connecting overlapping subnets on both ends of a L2L VPN, yes...

10.0.0.0/24|SiteA <---------> SiteB| 10.0.0.0/24

You "NAT before IPsec" to overcome this, so from SiteA network, you
access 10.0.1.0/24, and your device NATs this to 10.0.0.0/24 on the
other end of that particular tunnel, and does the reverse for traffic
coming from the other direction.  You also have to overcome it on the
other side, so you have to do the same, although you are free to
choose any network you like....

10.0.0.0/24|SiteA>NAT>10.0.1.0/24>VPN<10.1.0.13/24<NAT<SiteB|10.0.0.0/24

Yes, it works... but not on BSD.

> I've typically separated VPN services anyway, not leaving those up
> to the firewall at all (Unless it is site to site).

I do not know if this is possible for a RA VPN, I've found keeping
office networks off 192.168.0.0/22, 192.168.100.0/22, 192.168.254.0/24
and 10.0.0.0/24 will take care of the home users 99.9% of the time.
Otherwise, we renumber something.

> I'm particularly interested in the UDP AD traffic issue, I have
> not heard of that particular issue.

My Google-Fu is failing me, so it's either been fixed since 2.0, or I
am mis-remembering some detail.  It involved a remote XP workstation,
AD at HQ, and some type of AD related UDP traffic that could be
reghacked to use TCP.  I didn't work the issue in depth, although I
did locate the definitive issue at the time.  I will inquire with the
coworker who was more deeply involved and circle back to you on this.

Regards,

dtb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRb19oAAoJEMP+wtEOVbcdU8QIAI5fPKNOaKurgQTkarjxZM9x
1ClUveu4eXY7DskYtf71Ky6izFVuXkZBUyYl0joNZvr6G3OczltGKD8dwrl9/poT
awhDbICk/0tJ0vNXN2SQCGzIU2C03lcDyEDz2Z5t4X0l1zWlfsf2HBglIzLPK/aq
tChOUxw9cXEmIQQkAruKuTsGowmMOkU2cMWhbTQq/ePrR86bmp8MOdWBOyAcbkjo
ZQ4GXxHLQQ3MeXREURHAKBS13di1LYcW70JHvAJtJei5KV/7yhQ7A7/GyQ0Ew1sp
lwgGn4l9McRoh+8sxzUwdZhwOKXlbA2kO7UrDZmW2EyhE6AzMWW/KKYGnDuqObM=
=/z3W
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list