John Colby
jwcolby at ColbyConsulting.com
Mon Oct 10 15:12:13 CDT 2005
PC Tech, First, let me say that a signature is a good thing. ;-) Second, I understand (or have heard) everything that you say. I make no attempt to evaluate the effectiveness of a custom built firewall vs. an off the shelf (software) solution, however I would like to point out that your manual being 100 pages, including screen shots about says it all for me. You are a network engineer. I am not. Your document may in fact be for the beginner but if I need 100 pages including screenshots why would I do that? When I work I earn enough that in a couple of hours I could go buy a $200 box from one of the people who build routers / firewalls. I would need to enjoy the task to read a 100 page manual to set up my firewall. I could write a 100 page manual for designing databases for the complete novice as well, but when they were done building the database they would still be a complete novice and when anything went wrong they would be up the crick. I think it is naive to think that a complete novice can build and MAINTAIN a custom built firewall when just the concepts of what a firewall is and how and why you do this stuff requires a network engineer to TRULY understand. I am a smart guy. I have read a lot about that stuff, and the more I read the less I want to do that. I do databases not networks, and not firewalls. I want to buy a firewall that works. I want to turn it on and forget about it. I don't want to read 100 pages including screen shots only to have something go wrong and have to get you on chat to figure out what is happening. As I said, I am a database analyst / programmer. I am know more than most people will ever know about Access and database design, but I spent decades getting where I am in the area I specialize in (as I am sure you did as well). I am attempting to learn .NET and specifically web based database design. That is where I will earn my paycheck in a year or so. I am not going to spend hours turning an old PC into a firewall. 100 pages including screenshots is a non-starter. I said, and I truly mean, if you design a CD that I plug in, run the install, and reboot and I am up and running a first class firewall (and it is cost effective), I will do that. But that is just my personal opinion, so don't take it personally. And I absolutely encourage you to assist people in building firewalls from scratch, it sounds like a good idea for some people. John W. Colby www.ColbyConsulting.com Contribute your unused CPU cycles to a good cause: http://folding.stanford.edu/ Let me correct a couple of misconceptions. The first one is that the document I created is designed for a non-engineer to begin with. It is designed for "joe user". It has step by step instructions, including screen shots. The second is that "real" firewalls don't have hard drives. In fact, a large percentage of "real firewalls" are PC based and do have hard drives in them. For instance the Nokia firewalls are exactly a PC with a hard drive. There are, however, also firmware based firewalls. It is trivial to build a firmware based Linux firewall as well. The third is that the PC will not turn back on after a power failure. Most of the modern BIOSes in PCs have a "resume on power failure" option in them for just that occurance. It restarts the PC, providing it was on to begin with, in the event of a power failure. The fourth is that you haev some sort of video to deal with. Linux itself is designed to operate in a headless mode. This means that it will operate just fine without a keyboard, mouse, and monitor attached to it and can be administered remotely. It works like this "out of the box". The fifth is that you need some heavy hardware to run your firewall. Even my home firewall is EXTREME overkill. It is a Pentium III 933MHz with 512M of RAM and a 20GB hard drive. That system can process enough traffic to saturate a T3 line. A Linux firewall will run just fine on a Pentium or Pentium II platform. The thing you seem to forget is that ANY firewall is only as secuer as the operating system it is ran on. By and large, any Unix or variant is mroe secure than any Windows platform out of the box. Take into account, also, that Linux is much easier to secure than Windows is. Add to that that you do not need to reboot Linux when doing any sort of OS update, with the exception of the kernel itself. It becomes a "no brainer". Don't get me wrong. I like Windows and am an MCSE. However, everything has it's place. Firewalls are no place for Windows. My document explains, in great detail (over 100 pages including screen shots), on how to build a Linux firewall. With the exception of some of the initial build steps it is 100% administered via a web interface and a graphical interface remotely. This document also gives instructions on adding a transparent web cache/proxy and content filtering system to it. Specifically with home users with children in mind. One of the next things I will be adding to the document in the next revision is adding antivirus capabilities to the content filter. With the firewall I built, and have in place, I have never had a virus either, and I don't even use anti-virus software. That is due partially to the firewall, and partially in the manner in which I practice "safe computing". If you want to continue using your Windows based firewall, I say go for it. But never think that it is the best solution and always remember, the manner in which the Titanic was built was "good enough". -- AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com