[ previous ] [ next ] [ threads ]
 
 From:  "Bart Simpson" <easytoker at fastmail dot fm>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Features -suggestions-design
 Date:  Wed, 30 Jun 2004 14:16:34 -0700
1. application level gateway (Socks5) with authentication, granular
controls as in time,date etc... Today's firewalls need more then just
packet
filtering. Most use a combo of application/packet-filter 

2. More of a unified approach to authentication/identification. Most of
us are moving away from radius and using LDAP as the authentication
method as one server can auth./ident and provide directory access for
the company. OpenLDAP and Netscape would be a great choice for
compatibility engines.  This can be through a encrypted tunnel. 

3. Real time data, especially for VPN tunnels. Who are they..user/Group,
where are they coming from, where are they going, what time did they
connect/how long have they been connected and a way to view the raw data
after the encrypted packets are unwrapped. Nortel contivity switch does
a great job of this as well as checkpoint NG. The ability to disconnect
a vpn tunnel manually or via a timer....user Greg or group greg can only
stay connected for 30mins at a time, or vpn tunnels from ip. x.x.x.x or
from x.x.x.x to x.x.x.x can stay connected for 1 hr.

4. Highly redundant (Clusters) with load balancing and full
fail over...even vpn tunnels. Our checkpoint can do this and its very
neat and reduced customer calls by 60%. If a user is vpn'ed into server
A and server A fails then Server B,C,D... will pick up the tunnel
without the user having to dial back in or any user intervention for
that matter. You have to sync the state tables amongst the clusters.
The latter is done on the private rail or can be done via serial.
OpenBSD PF has a module for this,,pfsync. Perhaps the HUT project could
help with this on the freebsd code. The ability to add or remove a node
from the gateway
cluster via admin interface. Rainfinity and server iron does a great job
of this.  
Hut project ....http://www.bsdshell.net/

5. Integral and performance Monitoring / Notification. The MIDAS project
would be a nice incorporation.
http://midas-nms.sourceforge.net/

6. One does not always want data acquisition on a firewall, however
there
are certain instances where it is very rewarding. It's nice to have
real time info. on those dam scripts kiddies. Perhaps a prelude
solution. It would be nice to see the real time data via the admin
interface but
storing that info on a firewall is outright ludicrous. I would push
that data to a storage center such as a prelude console for data
forensics.

7. A user interface via.. application instead of WEB. Checkpoint slays
the competition in this. As a network security engineer i can't
understand why anyone wants a web interface...yes its easy but at the
cost of security...even on the internal rail.  Also writing a
application GUI
 interface would make real time data acquisition feasible instead of
 doing html updates ever X
seconds. Boa-constructor might be a good RAID for this and python's
power would shine. The Gui could use sshd as its underlying interface so
a ui daemon interface
would not have to be reinvented.

8. Switch the core to OpenBSD. Its a firewall right? OpenBSD just has
better code audits and they are the ones that own the frontier when it
comes to security and reliability. Just makes since when you building a
firewall to use the best options. I would at least dump IPF for PF as PF
is just amazing with its flexibility, scalability, ability and onslaught
of perfection. We reduced our cost by 35% by just using PF. Our traffic
ambiguous errors are over. We have never failed a audit using open, and
as a admin 
/ engineer you sleep better @ night knowing that your gates are
protected by the best
of the best. Personally i think freebsd does a better job in situations
like http servers
and i use them as such.  It's rather simple semantics, use the best in
the field you are working on and open is the leader in security.  IMHO!


Just rants, I am not bashing M0N0 at all as i mentioned i see it as a
possible choice to free us peasants from corporate sluts like
checkpoint, nokia, cisco.... Having been in the network security
industry for many moons now and having used many different OS's and
firewall code packages made me want to try and make Something like M0N0
but on the openbsd code. I was surprised to see a project so rewarding
and thought i would take the time to try it and offer suggestions...just
suggestions.

Thanks manuel for all the hard work and the inspiration.

God Bless

Easy~T

ps: If anyone is interested in forking ( with manuel's permission ) a
openbsd derived version of m0n0 with some of the above changes/additions
etc.. please contact me.