why I shouldn't use OpenBSD for a firewall?

[DirtylilTechBoy]

Anybody have any reasons to change my mind about using openbsd as the firewall os for a site that needs banking level security?

Machine will probably be an athlon xp around 1.4 ghz with 512megs of ram.

thanks for info!

 

[Chaotic42]

I've yet to install it on my system, but I've only heard good things about it. Are you very familiar with it?

 

[Rainsford]

Originally posted by: DirtylilTechBoy
Anybody have any reasons to change my mind about using openbsd as the firewall os for a site that needs banking level security?

Machine will probably be an athlon xp around 1.4 ghz with 512megs of ram.

thanks for info!

I don't think I'd use that system for a firewall, just a little overkill IMHO. But OpenBSD is a good firewall OS if you know what you are doing (just like any OS).

 

[Buddha Bart]

I think if I had banking-level important information, i'd have IT staffers who knew what a real firewall was.

bart

 

[Derango]

Originally posted by: Rainsford

Originally posted by: DirtylilTechBoy
Anybody have any reasons to change my mind about using openbsd as the firewall os for a site that needs banking level security?

Machine will probably be an athlon xp around 1.4 ghz with 512megs of ram.

thanks for info!

I don't think I'd use that system for a firewall, just a little overkill IMHO. But OpenBSD is a good firewall OS if you know what you are doing (just like any OS).

Just a little overkill? that system is about 4-5 times more than what you need for a firewall.

 

[n0cmonkey]

Originally posted by: Buddha Bart
I think if I had banking-level important information, i'd have IT staffers who knew what a real firewall was.

bart

OpenBSD can be a great firewall.

Depending on your ruleset and your network speed, that may not be as much overkill as you all seem to think

 

[DirtylilTechBoy]

My hosting company will setup our firewall on any operating system we want. The system specs is only a guess. If I don't really need that big of a firewall, what would I need for a site that expects huge traffic (no bs) and will probably a million or so members. Would I e better off with less processor and more ram, or just less of both?? Does the type of hard drive (ide scsi) matter??

I'm pretty much set on OpenBSD... its either openbsd, freebsd, or one of the linux flavors, probably slackware, debian or redhat. There will be about 12-14 servers on the network, with some being w2k, freebsd, linux, openbsd.

w2k- coldfusion, SQL
freebsd - file server
linux - email (Qmail)
openbsd - firewall

Am i headed in the right direction? I don't plan on taking any action for about 6 months, and I learn quick.

I can already install each os on a computer, but I have yet to setup anything other than a windows based network. I won't be admining the site anyway, but I'm just trying to know what is going on....

Someone mentioned

"I think if I had banking-level important information, i'd have IT staffers who knew what a real firewall was."

bart


What is a real firewall then? I thought a Athlon XP with 512 megs of ram and openbsd running the show was about as good as it could get for a firewall. Would a gig of ram be better? The machine will have gig nics as well.

Could I have three nics installed, one getting the internet connection, and the other two going to seperate networks?? For instance, could I have the net connection going to the openbsd machine, have one nic on the firewall go to a *NIX based network and the other nic on the firewall going to a Windows based network?

Thanks for the feedback. It helps my headaches.

 

[n0cmonkey]

Read up on setting up a DMZ.

As far as hardware goes, I would do something along the lines of:

p3 933+
512MB-1GB ram
20GB+ SCSI drive
Intel network cards

 

[Buddha Bart]

http://www.nokia.com/securitysolutions/network/availability.html
http://www.checkpoint.com/products/protect/firewall-1.html
http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm

more ram on an x86 machine wouldn't help at all. Ideally your packets would never leave cpu cache.

whats this setup/cluster for? You've should tackle your firewall/loadbalancing/highavailability all at once.

bart

 

[n0cmonkey]

Originally posted by: Buddha Bart
http://www.nokia.com/securitysolutions/network/availability.html
http://www.checkpoint.com/products/protect/firewall-1.html
http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm

more ram on an x86 machine wouldn't help at all. Ideally your packets would never leave cpu cache.

whats this setup/cluster for? You've should tackle your firewall/loadbalancing/highavailability all at once.

bart

Checkpoint... Argueably the Microsoft of Firewalls. Expensive, pain in the butt, and not the most effective. If you want to spend money on a good firewall, look at Raptor (symantec) or Sidewinder. If you want brand recognition and a lot of overtime, get checkpoint

 

[nuttervm]

As an addendum to what n0c said, if you wanted a commercial firewall i'd use sidewinder. Not only have i heard its the best, but i believe it is based off of BSD software

If you plan on having that many visitors to your site than the machine is not necessarily overkill. You won't need that much ram, but its better to have too much rather than too little. I use a p133 with 32mb ram on my openbsd firewall and it is quite fast and quite sufficient.

I echo n0c in saying that you should set up a DMZ if this is a real full fledged network. ie:

internet --- firewall --- web/mail/coldfusion servers --- firewall --- internal corporate network.

or at least thats the basic idea behind a dmz. you want to separate your classes of machines in case one gets hacked, the whole network isnt compromised. read up on the concept, its imporant to know

 

[Nothinman]

We have a SideWinder at work and they flew in to give us a class on it and it's a really nice system, the GUI is all done in Python and there's CLI equivilents of every GUI program. Pretty much everything's seperated so any breakin on a single point won't affect anything else. And yes it is based on BSD/OS.