[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Starting new project "OpenBSD Bastille" - was Create a canned "Firewall Build"
On 20 Feb 2002 at 11:26, Tobias Weingartner wrote:
> > Most of the sysadmins I know, don't even have time think about
> > security - it's fatal, I know - but I feel it's like normal, today.
>
> That's quite irresponsible. Then I'd say you (or they) have comming
> to yourself (or them) whatever comes down the pike. That's like
> saying that you know lots of people that drive cars, and they don't
> have time to think about safety. (That may be true, defensive drivers
> are rare in today's society).
Actually, in business you have the constant tradeoff of costs
vs benefit, and every non-revenue-generating expense is a
gamble. Some businesses run without insurance because the
cost is too high (or with minimal insurance), some without
firesprinklers (my building doesn't have them and it's too
expensive to move my business), and some without really good
Internet security because they can't afford the time or money
to set it up. Claiming "that's irresponsible" may be true,
but it doesn't make them stop doing it.
And there are different levels of security. You have to make
a business decision about this. I run Freesco as my current
router because it's a trivial setup. It isn't as good as
OpenBSD, I know that, but none of my Freesco sites has been
hacked yet, and I can't justify the added cost of a truly good
firewall to my clients, nor can I justify the learning curve
I'll have to climb for something that right now is not a
business necessity. I'd really really like to learn this, but
the business facts are that an impenetrable firewall isn't a
necessity yet. If I could set one up for double the time cost
of the freesco firewall, I'd do it in a heartbeat. I've
looked at embsd.org, and there is almost nothing there about
how to set this up. Contrast that to the Smoothwall setup or
a freesco setup and you'll see what I mean.
By making OpenBSD hard to learn-and-configure as a firewall,
we're causing businesses to run less securely than they would
if a truly easy-to-set-up OpenBSD firewall were available.
A properly-done 'canned' OpenBSD-Firewall would make the cost
of getting secure so much less that many more people would
become secure. If it's done independently from the OpenBSD
project, then any revenues generated (e.g. by CD sales of the
firewall) would not come back here. But if the OpenBSD CD set
included one CD that was OpenBSD-Firewall, or a setup script
option path on the current set, I suspect many more would be
willing to contribute to OpenBSD.
I've subscribed to the obsdwall list, will continue further
discussions over there. But I really think it's a mistake not
to include a default firewall-setup script in the CDs ....
---------------------------------------------------------
Angus Scott-Fleming GeoApps, Tucson, Arizona
angussf@geoapps.com 1-520-290-5038 / fax 1-208-248-3124
---------------------------------------------------------
"Those who would give up essential Liberty, to purchase a
little temporary safety, deserve neither Liberty nor
safety."
- Benjamin Franklin