Glen the RAQ550 have iptables, you could configure a firewall with iptables. The only thing that you have to do is to learn more about iptables and configure the rules of the security of the server.
Mario Castillo
On Wed, 2004-05-05 at 18:22, Glenn Harper wrote:
> Since the Security mailing list is possibly going to end soon, can anyone
> advise me on a good inexpensive hardware firewall for the Raq550, or
> enlighten me as to the advantages of using one of the various security
> packages such as Michael and Zeffie offer. Anyone have any experience with
> the Hotbrick or Cisco Pix firewall routers?
>
Well in a denial of service situation a software firewall that ends up
doing significant logging will completely tie up your machine, been
there. I use gShield here and there in less critical situations and
have used it on the Raq4 in the past. It's easy to use and well
documented.
My preferred choice for small appliance firewalls is the NetScreen GT.
Reasonably priced, full featured, very fast and can run in a bridging
mode for simple drop-in in front of existing machines with no
readdressing requirements. Filtering is done at basically wire speed in
ASICs. There are all kinds of DOS attack protection and traffic
shaping/limiting features that makes this solution more robust than a
software firewall on the host. It still costs hundreds of dollars but I
could probably buy 15 of these boxes each year for what it costs me in
software maintenance for one Checkpoint FW-1 license. There is not much
sacrificed in terms of features and functionality either, the only issue
is one of scale, i.e. interfaces and IPs allowed on the inside.
> I hate to throw in the towel on my Cobalts (I've been using them for about 6
> years now), but a recent hacker attack and the lateness of patches has me
> losing sleep these days.
>
I started loosing sleep a year ago and I am not sure why people are
still clinging on to this stuff. The writing has been on the wall for a
long time, security patches were coming at a pathetic pace even two
years ago. All the OS versions are way out of date and there is no
point in patching old stuff for ever and ever. I sense there will be a
dead-end at some point where some back ports will be too difficult.
Application level attacks will be an issue with the Cobalt boxes,
firewall or not so I would bail sooner than later.
I have slowly been replacing all the Cobalt machines and two remaining
ones will go VERY soon, hence I don't care about the demise of the lists
etc. I bought a bunch of bare 1U Asus machines with IDE trays, moved
the Raq4r drives over, added some ECC memory and a 2.4G P4, installed RH
ES V.3 and migrated all the stuff over. I am happy to give RedHat a bit
of cash for very timely security updates and the time savings associated
with not having to roll my own updates. I would have happily given that
money to Sun if they could have ever gotten their heads around a decent
support model . . . In the end this gives a very supportable cost
effective solution that is up-to-date, secure, faster and more robust.
Fortunately we were using the Cobalts as fairly generic machines and
didn't leverage heavily off the Cobalt's proprietary components so the
move was not that painful, others may experience major pain . . .
Hope this is of some use . . .
Eric
> Any information on affordable proven security products would be helpful.
>
> Regards,
> Glenn Harper
> Phone:361-727-1753
> http://www.rockportnet.com/
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security