Hi Nicholas,

Nicholas Lee
>
> > Then you can do it at the router, no need to bridge or
> route it inward.
>
> That depends if you want to do it yourself or not.
>

Well, if you configure the device, you ARE doing it yourself.

I guess the question is "can the router be made secure"?

If not, then I agree, an internal firewall is a good idea.

I have no philosohical problem with the access device and the security
device being in the same physical piece of hardware. (This means you only
have to focus on one security policy for one thing).

Like you, I would want the security management to be flexible, comprehensive
and secure.
Being implemented in a router doesn't necessarily follow that this isn't the
case.

> > The WebRamp has Checkpoint Firewall 1 Small Office built
> in. VPN-1 is
> > supposed to be available early next year.
>
> Not sure I like the idea of using checkpoint. Whatever the
> case I'll have a
> openbsd box in the way.
>
>
As far as I could see, most of the well-publicised exploits against the full
blown CheckPoint at this years Black-Hat conference were related to
configuration issues. (And the presenters made the point that their
demonstration could just as easily have been effective on other firewalls).

Properly configured, Checkpoint is still a pretty hard nut to crack.

I don't know about the Small Office version, but the big one certainly can't
compete with OpenBSD on price though!

(Unless you count your time developing the expertise to configure it
properly as valuable - that's a hard one to quantify).

Whatever...terminating the IPSec tunnel at the router does get around the
problem with NAT and Authentication headers.

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Mon Oct 16 15:56:45 2000