[Chugalug] OT: Favorite Enterprise Firewalls?

Dave Brockman dave at brockmans.com
Thu Apr 18 03:29:54 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/17/2013 10:50 PM, Dave Brockman wrote:
> On 4/17/2013 4:42 PM, Jason Brown wrote:
>> On 04/17/2013 10:42 AM, Dave Brockman wrote:
> 
>>> to buy that second $20k, $40k, $80k unit however.  And often 
>>> "support" with firewalls is not actually support, but 
>>> subscriptions to their Anti-virus signatures, Anti-SPAM 
>>> signatures, IPS/IDS signatures, botnet traffic filter
>>> licenses, etc etc etc.  Did you see support in that list? Me
>>> neither.
>> Yep, support is in that list, from the linked page: A support 
>> subscription provides you with 24x7x365 direct access to the 
>> pfSense team with guaranteed response time for all your 
>> firewall,.....
> 
> I was actually referring to the "Enterprise" competitors there....
> 
>>> A much wiser man than myself once told me this:  "I can
>>> decrease your downtime directly proportional to the size of
>>> your wallet, it's up to you and your wallet to determine how
>>> much downtime you can actually afford."
>> This is ABSOLUTELY true! But in my opinion the approach to 
>> infrastructure design is much more important than the vendor / 
>> hardware. If you are going for more than "three nines" then
>> every part of the infrastructure should be redundant. If that
>> means that it costs less for one, you can buy two, or four.
> 
> We are in agreement here.
> 
>>>> For those people that want it, pfSense also provides the
>>>> 24/7 support at a reasonable price. I have not used it
>>>> personally. 
>>>> https://portal.pfsense.org/index.php/support-subscription
> 
> More than one of us on this list [can|have|do] provide support for 
> pfsense as well.  Same holds true for Cisco as well though :)
> 
>> Agreed, sometimes there are shortcomings. I wasn't aware that 
>> connecting overlapping subnets was possible (reliably) with any 
>> product? Perhaps I am misunderstanding?
> 
> Cisco kit has done it for ... at least 15 years.  And I mean 
> connecting overlapping subnets on both ends of a L2L VPN, yes...
> 
> 10.0.0.0/24|SiteA <---------> SiteB| 10.0.0.0/24
> 
> You "NAT before IPsec" to overcome this, so from SiteA network,
> you access 10.0.1.0/24, and your device NATs this to 10.0.0.0/24 on
> the other end of that particular tunnel, and does the reverse for
> traffic coming from the other direction.  You also have to overcome
> it on the other side, so you have to do the same, although you are
> free to choose any network you like....
> 
> 10.0.0.0/24|SiteA>NAT>10.0.1.0/24>VPN<10.1.0.13/24<NAT<SiteB|10.0.0.0/24

Sorry,
> 
corrected cluster-fudge:

10.0.0.0/24|SiteA>NAT>10.0.1.0/24>VPN<10.1.13.0/24<NAT<SiteB|10.0.0.0/24

> 
> Yes, it works... but not on BSD.
> 
>> I've typically separated VPN services anyway, not leaving those
>> up to the firewall at all (Unless it is site to site).
> 
> I do not know if this is possible for a RA VPN, I've found keeping 
> office networks off 192.168.0.0/22, 192.168.100.0/22,
> 192.168.254.0/24 and 10.0.0.0/24 will take care of the home users
> 99.9% of the time. Otherwise, we renumber something.
> 
>> I'm particularly interested in the UDP AD traffic issue, I have 
>> not heard of that particular issue.
> 
> My Google-Fu is failing me, so it's either been fixed since 2.0, or
> I am mis-remembering some detail.  It involved a remote XP
> workstation, AD at HQ, and some type of AD related UDP traffic that
> could be reghacked to use TCP.  I didn't work the issue in depth,
> although I did locate the definitive issue at the time.  I will
> inquire with the coworker who was more deeply involved and circle
> back to you on this.
> 
> Regards,
> 
> dtb
> 
> _______________________________________________ Chugalug mailing
> list Chugalug at chugalug.org 
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRb2iyAAoJEMP+wtEOVbcdZnAH/1T4SMZrrnfT0sj5h8vAyRie
eoloDn2c7hvHgcjXf00pYLpLQ0vviZEf4AQVXCWAReDnKwuCBTqPkH3nHseSzW+s
TVDv2XeKBupU2iyB0SM632ZGmPxJI83HvfvhyEmYWcomvR+65E0IMHN+DY3Baclq
MHvJvJLLeYjpN8u5t5nKCtJpPHlMHzxMYKd6yArF/VwUtpDfxqf544leH4MloSL+
vPTFPHh7F1arOr1LdEIslNrRwYRXCvQg31sdYBkgYB93pbUasnQ2uSS6PBh6XutE
C54KIfPahCWNZpbDsl5ORGLMq3AC3YncB84NqnV1axWZbFDOolOZVUaJEgThyHc=
=LiDl
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list