[AccessD] OT: Firewall

pctech at mybellybutton.com pctech at mybellybutton.com
Mon Oct 10 15:40:02 CDT 2005 

John Colby <jwcolby at colbyconsulting.com> wrote on 10/10/2005, 10:12:13
PM:
> PC Tech,
> 
> First, let me say that a signature is a good thing.  ;-)
> 
> Second, I understand (or have heard) everything that you say.  I make no
> attempt to evaluate the effectiveness of a custom built firewall vs. an off
> the shelf (software) solution, however I would like to point out that your
> manual being 100 pages, including screen shots about says it all for me.
> You are a network engineer.  I am not.  Your document may in fact be for the
> beginner but if I need 100 pages including screenshots why would I do that?
> When I work I earn enough that in a couple of hours I could go buy a $200
> box from one of the people who build routers / firewalls.  I would need to
> enjoy the task to read a 100 page manual to set up my firewall.
> 
> I could write a 100 page manual for designing databases for the complete
> novice as well, but when they were done building the database they would
> still be a complete novice and when anything went wrong they would be up the
> crick.  I think it is naive to think that a complete novice can build and
> MAINTAIN a custom built firewall when just the concepts of what a firewall
> is and how and why you do this stuff requires a network engineer to TRULY
> understand.  I am a smart guy.  I have read a lot about that stuff, and the
> more I read the less I want to do that.  
> 
> I do databases not networks, and not firewalls.  I want to buy a firewall
> that works.  I want to turn it on and forget about it.  I don't want to read
> 100 pages including screen shots only to have something go wrong and have to
> get you on chat to figure out what is happening.
> 
> As I said, I am a database analyst / programmer.  I am know more than most
> people will ever know about Access and database design, but I spent decades
> getting where I am in the area I specialize in (as I am sure you did as
> well).  I am attempting to learn .NET and specifically web based database
> design.  That is where I will earn my paycheck in a year or so.  I am not
> going to spend hours turning an old PC into a firewall.  100 pages including
> screenshots is a non-starter.
> 
> I said, and I truly mean, if you design a CD that I plug in, run the
> install, and reboot and I am up and running a first class firewall (and it
> is cost effective), I will do that.  
> 
> But that is just my personal opinion, so don't take it personally.  And I
> absolutely encourage you to assist people in building firewalls from
> scratch, it sounds like a good idea for some people.
> 
> John W. Colby
> www.ColbyConsulting.com 
> 
> Contribute your unused CPU cycles to a good cause:
> http://folding.stanford.edu/
> 
> Let me correct a couple of misconceptions.  The first one is that the
> document I created is designed for a non-engineer to begin with.  It is
> designed for "joe user".  It has step by step instructions, including screen
> shots.  The second is that "real" firewalls don't have hard drives.  In
> fact, a large percentage of "real firewalls" are PC based and do have hard
> drives in them.  For instance the Nokia firewalls are exactly a PC with a
> hard drive.  There are, however, also firmware based firewalls.  It is
> trivial to build a firmware based Linux firewall as well.  The third is that
> the PC will not turn back on after a power failure.  Most of the modern
> BIOSes in PCs have a "resume on power failure" option in them for just that
> occurance.  It restarts the PC, providing it was on to begin with, in the
> event of a power failure.  The fourth is that you haev some sort of video to
> deal with.  Linux itself is designed to operate in a headless mode.  This
> means that it will operate just fine without a keyboard, mouse, and monitor
> attached to it and can be administered remotely.  It works like this "out of
> the box".  The fifth is that you need some heavy hardware to run your
> firewall.  Even my home firewall is EXTREME overkill.  It is a Pentium III
> 933MHz with 512M of RAM and a 20GB hard drive.  That system can process
> enough traffic to saturate a T3 line.  A Linux firewall will run just fine
> on a Pentium or Pentium II platform.
> 
> The thing you seem to forget is that ANY firewall is only as secuer as the
> operating system it is ran on.  By and large, any Unix or variant is mroe
> secure than any Windows platform out of the box.  Take into account, also,
> that Linux is much easier to secure than Windows is. 
> Add to that that you do not need to reboot Linux when doing any sort of OS
> update, with the exception of the kernel itself.  It becomes a "no brainer".
> 
> Don't get me wrong.  I like Windows and am an MCSE.  However, everything has
> it's place.  Firewalls are no place for Windows.
> 
> My document explains, in great detail (over 100 pages including screen
> shots), on how to build a Linux firewall.  With the exception of some of the
> initial build steps it is 100% administered via a web interface and a
> graphical interface remotely.  This document also gives instructions on
> adding a transparent web cache/proxy and content filtering system to it.
> Specifically with home users with children in mind.  One of the next things
> I will be adding to the document in the next revision is adding antivirus
> capabilities to the content filter.
> 
> With the firewall I built, and have in place, I have never had a virus
> either, and I don't even use anti-virus software.  That is due partially to
> the firewall, and partially in the manner in which I practice "safe
> computing".
> 
> If you want to continue using your Windows based firewall, I say go for it.
> But never think that it is the best solution and always remember, the manner
> in which the Titanic was built was "good enough".
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 
> 
> -- 
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com

Actually, using a "live" CD it WOULD be trivial to build a frewall based
on a "boot CD".  But would you REALLY want to?  Think about it.  That
"live" CD wouldn't have updates on it.  This means you'd have to have 
new "live" CD every time that you wanted to update the OS on the
firewall.  This is a non-starter without some sort of subscription
service.  This sorta defeats the whole purpose.

Without the screen shots, the document itself is less than 30 pages. 
The screen shots themselves take up alot of real estate in the
document.  The screen shots were done with useability in mind.  How
many times have you read a book on something and though, "I wish I
could see what they were talking about"?  These screen shots obviate
that statement.

You misunderstand.  You think I am taking it personal.  I'm not. 
However when someone that doesn't do this for a living tries to correct
me on something that I do on a daily basis, I will correct them.  Just
as I'd expect that you would if I were to make some off-base
development comment.  You are the one that seems close-minded about
this, without even having seen the document, I might add.

More information about the AccessD mailing list