Re: Easily configurable firewall?
From: Sebastian Ip (9scki@qlink.queensu.ca)Date: 12/07/01
- Previous message: Peter H. Lemieux: "Re: Spam filter software"
- In reply to: Don Felgar: "Easily configurable firewall?"
- Next in thread: Johan Helsingius: "Re: Easily configurable firewall?"
- Next in thread: Scott Gifford: "Re: Easily configurable firewall?"
- Reply: Johan Helsingius: "Re: Easily configurable firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Sebastian Ip <9scki@qlink.queensu.ca> To: Don Felgar <dfelgar@rainierinternet.com>, focus-linux@securityfocus.com Date: Fri, 7 Dec 2001 03:06:26 -0500
On Thursday 06 December 2001 04:41 am, you wrote:
> Hello all,
>
> By way of background: I need to set up seven firewall/VPN/NAT linux
> boxes now for some small branch offices, and several more down the
> road.
>
I did a demo network for my summer job just this pass summer.
> I initially looked into hardware devices, but VPN hardware is
> expensive, and there are incompatibilities between different
> implementations. (Some of the inexpensive firewall/NAT devices that
> "support VPN" actually support "VPN passthrough", which is quite a bit
> different.)
>
Part of my job with the test VPN was to look into turn-key solutions. They
were pretty expensive and there was no mention at all any of the solutions
working with anyone else's solutions. I got the impression most of them were
using the IPSEC standard just like FreeSWAN but no one said "we are fully
complient". So in the end you can be locked into a single vendor's solution.
Which would suck alot in the long run.
> My inclination is to avoid the administrative overhead of one VPN
> connection between each workstation (windows) and the VPN server, but
> rather to VPN once between each branch office and the VPN server. To
> do this, I'll assign each branch office a subnet in 192.168.1,
> 192.168.1.2, etc so they mesh together in the main office.
>
No body in their right minds would VPN each individual workstation by itself.
You are would really be creating extra work. All you need is some idiot
opening a trojan and your security is gone. Remember to KISS.
> Yes, I know that a firewall would not serve as a VPN device in an
> ideal world. I'm working under a tight hardware budget and don't have
> any better ideas.
>
Actually why shouldn't the firewall be the VPN device? It already protects
your network and it it's compromised it would open your networks to all sort
of mischive putting the VPN on it saves you work in keeping track of only one
set of logs and tripwire signtures which means you can use your time to pay
more attention to the logs maybe catching what you would otherwise have
missed.
> Anyway, my question is actually this: what's the best way to configure
> a group of Linux boxes en masse? My current thinking is that I'll
> copy all the .debs (I'm using Debian) that I want onto a cdrom, and
> then run a script on each machine that prompts for the bits of
> information that differ from one machine to the next, such as IP
> addresses, VPN config, etc, and writes them in the appropriate file.
> Any better ideas?
>
First off you are doing the VPN via Freeswan right? Your current idea seems
perfectly fine concidering when I do firewalls i usually just edit this one
script I have. However I don't know if you can expect to do freeswan by
copying over packages. The last time I installed it it required a kernel
recompile and during the recompile thingie it did the key generation and so
on. However prehaps debian has a easier way of doing this.
> TIA
> -Don
Cheers
Sebastian Ip
- Previous message: Peter H. Lemieux: "Re: Spam filter software"
- In reply to: Don Felgar: "Easily configurable firewall?"
- Next in thread: Johan Helsingius: "Re: Easily configurable firewall?"
- Next in thread: Scott Gifford: "Re: Easily configurable firewall?"
- Reply: Johan Helsingius: "Re: Easily configurable firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
