Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Hardware

CompactPCI-Based BSD Firewalls? 9

Posted by Cliff from the solid-state-storage-for-network-appliances dept.
Legend asks: "I am looking into implementing a BSD based firewall at my place of employment. I have been looking at different solutions, from Nokia, and Cisco, but they seem quite expensive, and the Cisco solution is nothing more than a router, with some extra software, and the Nokia, nothing more than a PC, with extra software. I have decided to build my own PC/BSD based firewall, with FreeBSD, or OpenBSD, however, I am looking for the perfect hardware for this project. CompactPCI looks like a great choice, but I am wondering if anyone has run *BSD on this hardware, and if there are any pitfalls to it. CompactPCI seems like it would be the perfect firewall solution, compact flash based boot drives, hot-swappable processors, up to eight PCI slots for NICs." Sounds like a nice idea for an always-on PC appliance. Although we covered some of the issues with BSD Firewalls in an earlier article it would be interesting to know of your thoughts on CompatPCI and how well it can stand up to this kind of use.
This discussion has been archived. No new comments can be posted.

CompactPCI-Based BSD Firewalls? More

CompactPCI-Based BSD Firewalls?

Comments Filter:
  • CompactPCI is a modular standard for building PCs. It conforms electrically to PCI, but it is built in a rackmount chassis. http://www.gorilla.net/compactpci/compactpci_chass is_mck371.htm This way you have 8 PCI slots available, for NICs and such.
  • My bad. For some reason I was reading CompactPCI and blending Compact Flash and PC-Card in my head.

    Back to my other point, you could probably sell these things to other companies who are balking at the current retail firewall hardware. But really, that's neither here nor there...

    Dancin Santa
  • CompactPCI is a relatively new spec, and as such there is not a lot of products in the CompactPCI line, nor is there any performance spec or testing done on this platform. cPCI is primarily used in the telephony industry where it afford extrememly high port density. You may be better off looking at the ISA bus, or the PCI passive-backplane. Both have been around much longer and have been shown to be stable. For a simple application such as a firewall, ISA or PCI will be fine. That said, here are some links to companies I have used in the past.

    Advantech [advantech.com] supplied a full line of CompactPCI chassis and system boards at very reasonable prices. They also carry PC104, and other custom SBCs.

    Crystal PC [crystalpc.com] supplies ISA-based computer systems in various rackmount configurations. Especially useful if you need 20 or 30 of the same box in a rack. They specialize in 1U and "toolbox" computers.

    Diversified Technologies [dtims.com] supplies PCI SBCs, cPCI SBC, and an array of chassis.

    I would also like to take a minute and caution you against using *BSD (or Linux) as a firewall. While it is true that they came be designed for less, and that you have greater control, it also means you have greater responsibility to maintain these system. The advantage to a Cisco PIX is that the OS is not well know and not available for download. In the case of BSD, there are many more exploits available. Worse, you need to worry about both OS exploits and Firewall software exploits. In the case of the PIX, the OS is the firewall, and exploits are far fewer. While it may be more expensive, think of the cost to your business that a breach would cause. After you factor in the extra work, extra maintenance, and lower security, you'll find a PIX is much more cost effective.
    --
    He had come like a thief in the night,

  • OS exploits not such a big deal (Score:1)

    by Anonymous Coward
    I think bringing the OS into it is unnecessary. If he sets this up right, OS 'sploits just won't matter. As long as the network stack is clean, there shouldn't really be anything exposed to be hacked. Just a clean packet filterer.

    Also, advocating security through obscurity ain't such a good idea. Where's your obscurity going to get you when you have a dedicated attacker on your hands?

  • Good reasons to use *BSD instead of PIX. (Score:4)

    by Nonesuch ( 90847 ) on Wednesday March 28, 2001 @07:49PM (#332155) Homepage Journal
    One of the advantages of custom building a firewall using *BSD with IP-Filter is that you can load your own protocol-aware and 'application proxy' software on the device, where the PIX is strictly a stateful-inspection packet filter with some minimal protocol awareness for 'fixup', and that sometimes doesn't even work correctly, such as their FTP fixup hole.

    The disadvantage to the Cisco PIX is that the OS is not well known and not available for download, so you will never know what exploitable holes exist. Meanwhile, Cisco engineers and any uber-crackers who have obtained copies of PIX source code can root you at will :-)

    Sure, BSD has had a few holes, but most of those are related to software you don't need installed on your firewall. Or you load OpenBSD, and eliminate the majority of OS exploits from the problem pool.

  • Reasons not to roll your own. (Score:3)

    by Nonesuch ( 90847 ) on Wednesday March 28, 2001 @07:56PM (#332156) Homepage Journal
    This topic was hashed to death in bofhnet a few weeks ago. There are good reasons to buy commercial firewalls:
    • If you are hit by a bus, they can find somebody else who knows the product.
    • By installing a well-known commercial product, you are less likely to be sued/fired when the firewall is hacked.
    • If your time is worth anything, buying a $25K firewall will be cheaper in the long run.
    • Commercial vendors sell tech support, so if something breaks during your once in a lifetime vacation to Aruba, you won't be called back to the office to fix the firewall.

    If you aren't doing this to save money, then you might just want to try to find small form-factor hardware that will run Secure Computing's Sidewinder firewall [sidewinder.com].

    Sidewinder is based on a customized version of BSD, runs on normal PC hardware, and has most of the features you'd put in if you designed your own firewall, plus it comes with a GUI so you can delegate maintenance to lesser mortals. But Sidewinder isn't cheap.

    I enjoy building my own OpenBSD firewalls, but for nearly any commercial purpose, I purchase commercial firewall products from major vendors.

  • Perhaps a good starting point is the NetBSD/i386 based firewall project at www.dubbele.com [dubbele.com].

    Disclaimer: that's my site. Contact me through email if you need assistance, I'd be happy to help you with details..

    -John

  • I work at a bank so I'm stuck with a commercial firewall product to protect our online banking setup. It has been constant research for the last 18 months and I have learned some scary things about what other banks are doing. Several banks are running without firewalls or if they do have a firewall, the person responsible for it is new to internet security. We had been using the built-in firewalling on Cisco routers for our internet surfing and email access and running all our computers through a Linux proxy/firewall. The administration took a year of hearing about internet security before they decided that we needed more protection.

    We now have a Nokia firewall with CheckPoint Firewall 1 and an intrusion detection system in a locked box (thanks to Al Gore for inventing the Internet and lockboxes) that is monitored 24/7 by a security center with a dedicated encrypted connection. The Nokia is a little more than a PC, with extra software. There is quite a bit of OS hardening, management capabilities, etc. in the box itself. Obviously this did set us back a little bit but it doesn't compare to what is at stake for us. We are competing for the same people as the other area banks and if people lose confidence then we are going to be hurting.

    It all boils down to what you are protecting. If you are even considering PIX, Checkpoint, etc then maybe you have something worth protecting. If you are only saving a few thousand dollars then you should really reconsider the advantages of support, maintenence, time, etc. and focus on the other areas of security.

    It sounds like you are determined to continue with this so I would suggest that you build a second machine with a differeent OS to protect yourself. There's a good article [daemonnews.org] using OpenBSD as transparent bridging firewall. The article suggests using it as a firewall it front of a router but it would work as well as a firewall in front of another firewall. Using different OSs will make it harder to get through both even if they both BSD (Open, Free, Net) or even Linux. I'm looking at using OpenBSD bridge firewalls between all my branch connections and between the network and the modem pool. Using a commercial firewall that is managed gives me the time to lock the rest of the network down and jump on users for doing stupid things. Never underestimate the ability of a user to circumvent your security whenever they get a chance.

  • Box firewalls tend to be in those small boxes because people want to rack mount them etc.

    But if you're going to build your own won't it be a lot easier to stick with standard PC hardware?

    That way your time concentrates on the Firewall stuff, not struggling with unusal/slightly supported hardware.

Slashdot Top Deals

"Here's something to think about: How come you never see a headline like `Psychic Wins Lottery.'" -- Comedian Jay Leno

Close