[Chugalug] OT: Favorite Enterprise Firewalls?

Dave Brockman dave at brockmans.com
Thu Apr 18 03:29:54 UTC 2013

Hash: SHA1

On 4/17/2013 10:50 PM, Dave Brockman wrote:
> On 4/17/2013 4:42 PM, Jason Brown wrote:
>> On 04/17/2013 10:42 AM, Dave Brockman wrote:
>>> to buy that second $20k, $40k, $80k unit however.  And often 
>>> "support" with firewalls is not actually support, but 
>>> subscriptions to their Anti-virus signatures, Anti-SPAM 
>>> signatures, IPS/IDS signatures, botnet traffic filter
>>> licenses, etc etc etc.  Did you see support in that list? Me
>>> neither.
>> Yep, support is in that list, from the linked page: A support 
>> subscription provides you with 24x7x365 direct access to the 
>> pfSense team with guaranteed response time for all your 
>> firewall,.....
> I was actually referring to the "Enterprise" competitors there....
>>> A much wiser man than myself once told me this:  "I can
>>> decrease your downtime directly proportional to the size of
>>> your wallet, it's up to you and your wallet to determine how
>>> much downtime you can actually afford."
>> This is ABSOLUTELY true! But in my opinion the approach to 
>> infrastructure design is much more important than the vendor / 
>> hardware. If you are going for more than "three nines" then
>> every part of the infrastructure should be redundant. If that
>> means that it costs less for one, you can buy two, or four.
> We are in agreement here.
>>>> For those people that want it, pfSense also provides the
>>>> 24/7 support at a reasonable price. I have not used it
>>>> personally. 
>>>> https://portal.pfsense.org/index.php/support-subscription
> More than one of us on this list [can|have|do] provide support for 
> pfsense as well.  Same holds true for Cisco as well though :)
>> Agreed, sometimes there are shortcomings. I wasn't aware that 
>> connecting overlapping subnets was possible (reliably) with any 
>> product? Perhaps I am misunderstanding?
> Cisco kit has done it for ... at least 15 years.  And I mean 
> connecting overlapping subnets on both ends of a L2L VPN, yes...
>|SiteA <---------> SiteB|
> You "NAT before IPsec" to overcome this, so from SiteA network,
> you access, and your device NATs this to on
> the other end of that particular tunnel, and does the reverse for
> traffic coming from the other direction.  You also have to overcome
> it on the other side, so you have to do the same, although you are
> free to choose any network you like....

corrected cluster-fudge:|SiteA>NAT>>VPN<<NAT<SiteB|

> Yes, it works... but not on BSD.
>> I've typically separated VPN services anyway, not leaving those
>> up to the firewall at all (Unless it is site to site).
> I do not know if this is possible for a RA VPN, I've found keeping 
> office networks off,,
> and will take care of the home users
> 99.9% of the time. Otherwise, we renumber something.
>> I'm particularly interested in the UDP AD traffic issue, I have 
>> not heard of that particular issue.
> My Google-Fu is failing me, so it's either been fixed since 2.0, or
> I am mis-remembering some detail.  It involved a remote XP
> workstation, AD at HQ, and some type of AD related UDP traffic that
> could be reghacked to use TCP.  I didn't work the issue in depth,
> although I did locate the definitive issue at the time.  I will
> inquire with the coworker who was more deeply involved and circle
> back to you on this.
> Regards,
> dtb
> _______________________________________________ Chugalug mailing
> list Chugalug at chugalug.org 
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Chugalug mailing list