* Leif Hvidsten <leif at mn.rr.com> [011231 23:43]: > into the external service access feature. Be sure to check out the Special > Edition ISO that just came out on Dec. 21st. > http://www.smoothwall.org I decided to ignore these people from now on because they have the mindset that the founder put in so much money into making Free Software that people should be nice and never critisize their ways. (phone-home registration, their methods of dealing with some idiot who claimed they were breaking the gpl and then saying all linux geeks are like that and they are better than them, etc) I got sick and tired of it and decided to absoultely not tell people about the project anymore. Oh, for a while one of the updates turned the web-config interface into nagware. It's nice to contribute, but if your basing your business model on something and then bashing the community because they poke at your business model and ways its not worth being nice and promoting their 'product'. I work daily with our Lucent firewall, its got faults, but it still has more flexable firewalling and IPSEC based VPN support. They use FreeSWAN for their IPSEC implementation, and unless they are doing anything special, the only decent way to put stuff out with freeswan is using a PKI/x509 style setup. With someting from Lucent or Cisco, you can use a certificate to ensure that the server is who they say they are and then use RADIUS, which is more deployed and much easier to manage than PKI is yet. (until there is better smart-card-ish stuff *everywhere* and a few other things...) Most of what they are trying to sell to people as a product is freeswan, linux ipchains, squid, snort, and a few other things i cant remember, with a nifty frontend. Their only real IP is the intergration work and the web based frontend. Of course, they want to put this into the hands of businesses that have no idea about their risks, and just want to save some money. Of course, there are VARs out there, but thats going to cost too much for these sorts of users. These are the sorts of users who will put this up, forward their IIS server through it, and then declare their servers 'secure' because they are protected by a firewall. So, the 'hard' part in this buisness is presenting a frontend that doesn't expose the users to anything, and helps them in more than just a firewall, but also somehow notifies and helps them test their exposed machines with them and helps them secure them too. Perhaps a subscription based service to provide the updates, etc. Something a bit more turnkey, and a bit less of mapping files to a configuration interface, but allow experts to dive right in and torque things. Perhaps even remotely if possible as part of a 'managed security' setup. I really like this idea of the helping users test their exposed services though, it can be automated, and the tests that come up true can point a user directly to what they need to do. And if a problem is really bad and the machine detects it (worm propagation, odd behavior, etc.) allow the machine to filter outbound from the hosts being protected. This would be a 'hard' filter to write, methinks. And 'harder' to implement in software and keep any sort of scalabilty and relevant reaction time. Oh well. that was a long rant. Yikes they even use popups on their website now. But yeah, its not 'securing your digital world' its just helping you do the basics of security, and even then you can push a knob the wrong way and not know if your really secure anymore or not. I would put a book refrence here, prefreabely written for somewhat normal computer users and easy enough for allmost anyone on this list to understand that talks about how to evaluate your risks and security policy, but I don't know of a good one offhand. Anyone know of any good network and machine security books? Preferably network ones and more based on the risks and less on what osen are on your network. Thanks. -- Scott Dier <dieman at ringworld.org> http://www.ringworld.org/ ...one of the top CBS reporters here in the Twin Cities, came up to me and said, "Governor." Here was her question: "How do you respond to some people who say you're spending too much time on state security and not enough time on Major League Baseball and the Twins?" -Jesse Ventura, Salon interview 12.17.01 on why he thinks media are jackals and his partial justification for ignoring the 'baseball issue'. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020101/7277c8d2/attachment.pgp