[Chugalug] OT: Favorite Enterprise Firewalls?
dave at brockmans.com
Thu Apr 18 03:29:54 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 4/17/2013 10:50 PM, Dave Brockman wrote:
> On 4/17/2013 4:42 PM, Jason Brown wrote:
>> On 04/17/2013 10:42 AM, Dave Brockman wrote:
>>> to buy that second $20k, $40k, $80k unit however. And often
>>> "support" with firewalls is not actually support, but
>>> subscriptions to their Anti-virus signatures, Anti-SPAM
>>> signatures, IPS/IDS signatures, botnet traffic filter
>>> licenses, etc etc etc. Did you see support in that list? Me
>> Yep, support is in that list, from the linked page: A support
>> subscription provides you with 24x7x365 direct access to the
>> pfSense team with guaranteed response time for all your
> I was actually referring to the "Enterprise" competitors there....
>>> A much wiser man than myself once told me this: "I can
>>> decrease your downtime directly proportional to the size of
>>> your wallet, it's up to you and your wallet to determine how
>>> much downtime you can actually afford."
>> This is ABSOLUTELY true! But in my opinion the approach to
>> infrastructure design is much more important than the vendor /
>> hardware. If you are going for more than "three nines" then
>> every part of the infrastructure should be redundant. If that
>> means that it costs less for one, you can buy two, or four.
> We are in agreement here.
>>>> For those people that want it, pfSense also provides the
>>>> 24/7 support at a reasonable price. I have not used it
> More than one of us on this list [can|have|do] provide support for
> pfsense as well. Same holds true for Cisco as well though :)
>> Agreed, sometimes there are shortcomings. I wasn't aware that
>> connecting overlapping subnets was possible (reliably) with any
>> product? Perhaps I am misunderstanding?
> Cisco kit has done it for ... at least 15 years. And I mean
> connecting overlapping subnets on both ends of a L2L VPN, yes...
> 10.0.0.0/24|SiteA <---------> SiteB| 10.0.0.0/24
> You "NAT before IPsec" to overcome this, so from SiteA network,
> you access 10.0.1.0/24, and your device NATs this to 10.0.0.0/24 on
> the other end of that particular tunnel, and does the reverse for
> traffic coming from the other direction. You also have to overcome
> it on the other side, so you have to do the same, although you are
> free to choose any network you like....
> Yes, it works... but not on BSD.
>> I've typically separated VPN services anyway, not leaving those
>> up to the firewall at all (Unless it is site to site).
> I do not know if this is possible for a RA VPN, I've found keeping
> office networks off 192.168.0.0/22, 192.168.100.0/22,
> 192.168.254.0/24 and 10.0.0.0/24 will take care of the home users
> 99.9% of the time. Otherwise, we renumber something.
>> I'm particularly interested in the UDP AD traffic issue, I have
>> not heard of that particular issue.
> My Google-Fu is failing me, so it's either been fixed since 2.0, or
> I am mis-remembering some detail. It involved a remote XP
> workstation, AD at HQ, and some type of AD related UDP traffic that
> could be reghacked to use TCP. I didn't work the issue in depth,
> although I did locate the definitive issue at the time. I will
> inquire with the coworker who was more deeply involved and circle
> back to you on this.
> _______________________________________________ Chugalug mailing
> list Chugalug at chugalug.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Chugalug