“Like almost all things in life, good security costs good money. It has to be that way, because there are simply not enough skilled security specialists to look after all of the networks that need their attention. An unfortunate result of low supply and high demand is the migration of highly skilled personnel to clients who can meet their salary requirements. This leaves a lot of small and underfunded networks in the hands of less experienced administrators, who might not know how to design, configure, and monitor these networks’ safety mechanisms, leaving them vulnerable to attacks from unscrupulous people looking for inside information, free warez storage, zombie hosts for DDoS attacks, or systems they can simply destroy for fun of doing it.” Read the rest of the article at O’Reilly.
OpenBSD seems like a good choice for securing small to medium sized networks. It is an excellent OS when security is the prime focus. ipfilter is simple to configure under OpenBSD and I believe the ruleset is fairly portable.
I am surprised there was no mention of “FreeBSD” in the article, since ipf also works under it (although I am not sure if ipf supports bridging under FreeBSD).
http://www.freebsdforums.org
yes ipfw supports bridging under freebsd
I would like to try this with FreeBSD – what is the minimum requirement on RAM, futher will a 486/66 do..?!
Further, can this be achived with a linux boot floppy as well or does the Firewall eat up to much space? There are already basic FWs included with those linux floppy routers…
Yup, why not, and especially with a self-made kernel containing patches from <a href=”http://www.grsecurity.net/“>http://www.grsecurity.net/ you are immune against a lot a exploit-techniques as those techniques plain don’t work as they are forbidden on the kernel-level.
Turning on all of those anti-exploit-measures is of course not suitable for desktop systems but should be feasible on a server as on my firewall.
I guess TrustedBSD has some similar features but I’m not 100% sure what it really includes. GrSecurity if by all means the best security patch you can apply to your Linux kernel.
Uhh.. thanks I had a good laugh… :-p
This Grsecurity-stuff sounds absolutely interesting, only, being a n00b, I wouldn’t even know about the first key stroke…. I think I’ll have to stay with Zonealarm behind my fli4l router (www.fli4l.de).
Laugh about what?
Me using “moo” as a name and mail-addy?