creating a DMZ -- seeking firewall advice

TJ Hunter tjhunter at gmail.com
Tue Mar 8 13:50:31 MST 2005


On that note, I know someone who is trying to sell a pix. I don't have
the specs right now, and I know that it needs a firmware upgrade. You
would have to buy a support agreement with cisco in order to download
that from them. But if anyone is interested, email me off list and
I'll get the specs.


On Tue, 8 Mar 2005 13:41:54 -0700, Josh Coates <jcoates at archive.org> wrote:
> 
> not to be butthead or anything, but..
> 
> >it's possible that a cisco box, running their embedded IOS instead of linux
> would be a touch faster
> 
> highly unlikely.
> 
> >there are several advantages to having a DMZ for your webservers and hiding
> the application and database servers on the inside, don't you think?
> 
> of course.
> 
> >Having hardware appliances might make it easier to configure
> 
> this has nothing to do with 'hardware'.  but, yes, appliances are typically
> easier to configure.  but then again, iptables isn't that hard to setup.
> 
> >No need to worry about patching/locking down anything else, like you'd have
> to consider with a linux box.
> 
> run debian stable and simply use iptables to lock everything down.  it's
> really, really easy.
> 
> >ever tried to cut down a tree with a swiss-army knife saw-blade?
> 
> no.
> 
> okay, so it sounds like the summary is:
> "i don't have time/energy to invest in learning how to do this with linux,
> so i'm going to throw money at the problem to make my life easier - does
> anyone know of a firewall appliance?"
> 
> this is a *perfectly valid* reason for wanting an appliance, but this is
> your reasoning, no?  i was just curious about any specific reasons you had
> for not just using iptables, because i'm sure there must be some good
> reasons for it (i've recently been told that iptables doesnt work well w/
> multiple vpn sessions for example.)
> 
> sounds like you should just go w/ pix - but at least buy 'em from ebay. ;-)
> 
> Josh Coates
> http://www.jcoates.org
>



More information about the PLUG mailing list