Thanks Ken, Rich, Scott, JD, Raj. The story of how me and my coworker, Al, fell into this is a long one. Let's just say our main network guy took off a few months back. Nothing was documented about the network. We are a 10-person marketing team with 2 developers. I am one of two web/app developers. Al is the other developer. My networking skills only includes running Apache and Nginx at home for Web/proxy stuff and flashing my Cisco Linksys router with dd-wrt firmware.<div>
<br></div><div>We eventually hope to get someone more qualified to handle the implementation, but Al and I were voted most capable of at least architecting a good design. Our grand plan is use our software development techniques, which is to read as much as we can--TCP/IP Guide, Network Warrior, Network Flow Analysis, etc--and compile a list of designs/patterns that should give us good performance and fantastic security. Our understanding of the tools is limited, but security analysis can be done independently of the medium data has to flow through (we think). After that, we can at least look like more than fools in front of the actual experts.</div>
<div><br></div><div>In the meantime, the dying firewall has been replaced by a Cisco box running dd-wrt (VPN version). We are using the VLAN capability to implement a DMZ and a Cisco wireless access point to do wireless stuff until we can come up with something better. Hopefully, in the future we can have another firewall built that may be running pfSense or something else.</div>
<div><br></div><div>This is actually turning out to be a fun exercise. The Network Flow Analysis book by Michael Lucas is great. Seeing how packets travel from place to place is really exciting stuff. Software development seems boring in comparison.<br>
<div><br><div class="gmail_quote">On Thu, May 5, 2011 at 11:46 PM, Ken Price <span dir="ltr"><<a href="mailto:lists@nettwrek.com">lists@nettwrek.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<p>David,</p>
<p>You're asking a bunch of unrelated questions that would take days explaining, so lets just concentrate on the firewall piece since you say it's dying. The answer is simple. Buy an expensive commercial one and be limited in functionality and tied to licenses, with the benefit of [theoretically] quick commercial support and stability. Or, build one from scratch that's catered to your needs and can be easily and cheaply extended in the future ... at the substantial cost of in-house knowledge. As another poster mentioned, look at Vyatta. Runs on commodity hardware, gives you VRRP capabilities for failover between devices, openvpn client/server integration, built in IDS/IPS using snort, IPV6 capable, Webgui management interface and/or CLI, has a free community edition and/or licensed with paid support. Best of both worlds.</p>
<p>Openvpn and AD integration? Possible? Yes. Easy and Free? No.</p>
<p>At the end of the day, what is your skillset and your ability? If you can get all this working in short order and easily maintain it, document it, and easily pass it on to another linux admin should you die or leave the company, then by all means build your own. If you've never heard of VRRP, CARP, or don't have a sound understand of routing and VPN's, then let your boss by the expensive one. It's not your money and doesn't set you up for failure.</p>
<p>Regards,<br><font color="#888888">Ken</font></p><div><div></div><div class="h5">
<p> </p>
<p> </p>
<p>On Thu, 5 May 2011 13:36:26 -0400, David Hillman wrote:</p>
<blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px;width:100%">
<p>Our firewall is close to dead. My boss wants to buy an expensive one. I think it's better to build. We had problems extending the old firewall, plus it would give us a chance to actually have OpenVPN on the firewall box itself. The trouble is figuring out how to get to a working solution that's flexible and affordable. Should we go with a trihomed solution? Should OpenVPN then listen on all interfaces, or just the external one? How does this all fit in with our Active Directory and DNS server? Can OpenVPN easily deal with Active Directory? How should packets be routed from the VPN connection to the internal network and to the DMZ? Should we go with a powerful little box that has iptables on the hardware and something like Virtualbox + PHPVirtualbox for everything else? By the way, we were using a Secure Computing box before.</p>
<div></div>
<div>The AD box can then be virtualized and consolidated inside the one physical box. Our web box (virtualized) and file server box would still stay separate. Then, how do we tie the virtualized AD service back into the LAN? Through the internal network interface via virtual switch? What are the chances of the firewall box failing? Of course, we were thinking of a Mini-ITX board with Intel Atom (no fans) and RAID 1 SSD drives. Are there any good books dealing with issues like these? I can understand buying to save time, but how many headaches do you have to put up with down the road</div>
</blockquote></div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div></div>