[ previous ] [ next ] [ threads ]
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  Andres Petralli <apetralli at icu dot unizh dot ch>
 Cc:  m0n0wall developer's list <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] UPNP
 Date:  Mon, 24 Oct 2005 18:10:27 -0700
Andres Petralli wrote:
> On 25.10.2005, at 00:38, Chad R. Larson wrote:
>> We are a multi-national company with about 7000 employees.  The very
>> first firewall an outsider sees (or, rather, doesn't see) is a
>> m0n0wall/Soekris box.  Perhaps that is why I value security so highly.
> I highly doubt that all your 7000 employees run over that box. Maybe  
> you use those boxes to connect subsidiaries of your company which may  
> be connected together over conventional ADSL or other cheap internet  
> lines. Whatever... there are always exceptions.

You can doubt whatever you want.  The m0n0wall is the outer firewall for 
a DMZ.  It's currently eating an average of 3 Mbps (peaks to 100).  All 
our traffic (email, web, ftp, etc.) with the outside world goes through 
it.  Also, several hundred interactive ssh sessions for our ASP customers.

We have other connectivity between our offices for internal 
communications, mostly DS3's.

> The fact that enterprise routing protocols like bgp4+, ISIS and ospf  
> are missing and that there is no way to cluster m0n0walls for  
> redundancy are clear indications, that it is not meant for this high  
> profile kind of enterprise use. If all your 7000 employees depend on  
> that single box, well then I really wouldn't like to have your job!

We have a hot spare, and a (non-statefull) switchover to it.  The 
m0n0wall on each is configured to do MAC spoofing on the LAN and WAN 
interfaces, so the switchover doesn't affect either the machines on the 
DMZ or our ISP (AT&T).

The Soekris net4801 we are using has no moving parts and very 
conservatively rated components.  Would you rather have a machine with a 
spinning disk and fans?

> In m0n0wall everything, or at least most of it is built around NAT  and 
> using the box as a router for internet lines where only one ore a  few 
> IP addresses are available. This already does disqualify it as a  
> solution for medium and bigger sized companies.

Nah.  NATing is just another thing it can do, not it's reason to exist. 
  Ours just passes our Class C traffic (205.159.99.x) on through. 
Besides, it's not limited to just a few addresses.  It can NAT huge 
blocks of addresses if you like.

> Other things like PPPoE also indicate, that m0n0walls target user
> group is rather the adsl and cable ISP user than companies that
> connect their network to carriers with fibre lines.

Again, just another feature we don't use.  Like captive portal.  Those 
things came late to the party, after Manual started accepting 
enhancements from his user base.  I don't think their existence defines 
the audience for the system.  Which is why all the discussion of m0n0 
2.0 being more modular.  I've got no use for the captive portal code, 
but might like more statistics collection.

> But hey, maybe this is the whole point about this discussion. Maybe  the 
> developers here should define what m0n0wall is about and who the  target 
> audience is, wheter it should be a cheap but powerfull  firewall/router 
> for everyone or a true substitute to checkpoint  firewalls and cisco 
> routers.

We have a Sun E250 with hardware encryption acceleration running 
Checkpoint Firewall1 for the inner firewall on the DMZ.  It is also our 
VPN endpoint.

The outer firewall has a different function.  It has to terminate the 
line from AT&T.  It has to block RFC-1918 traffic.  It has to keep out 
source addresses from our Class C block (spoofed).  It protects from 
some forms of denial-of-service.  It blocks multicast inbound.  I see no 
reason at all why I should by a $10,000 box for that job, when a $300 
one will do.  That would be irresponsible.

> Personally I think that it is futile to  try to replace the 
> later ones and that you can't build a box for home  and soho use while 
> also building the same system towards enterprise  usage.

Again: Modular.

> But I'm fine with a box that is geared towards enthusiast rather than
> towards enterprises. 

If you just want a NATing firewall/router for home, buy a $50 Linksys.
If you want to play with the innards, visit http://openwrt.org/ or the like.

> This is where m0n0wall really could find a solid user base.

I think it already =does= have a solid base.

I guess what's torquing my tool is the implication that a 
m0n0wall/Soekris is somehow "not a =real= firewall".  For what we're 
doing with it, I would never deploy something from Cisco.  Too much 
money.  Too hard to administer.  Semi-flaky operating system (IOS vs 
FreeBSD?  Ha!).

Chad R. Larson (CRL22)    chad at eldocomp dot com
   Eldorado Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 400
        Phoenix, Arizona   85016-3228


Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is
intended for use only by the individual or entity to which it is addressed, and may contain
information that is privileged, confidential or exempt from disclosure under applicable law. If you
are not the intended recipient or it appears that this mail has been forwarded to you without proper
authority, you are notified that any use or dissemination of this information in any manner is
strictly prohibited. In such cases, please notify us immediately at mailmaster at mphasis dot com and
delete this mail from your records.