[pptp-server] State-based Firewall and VPN Server on One Box?

Sat Jan 15 17:32:20 CST 2000

Eric & Matt,
I'll answer Eric's other questions on Monday, but I thought I'd comment
on Matt's response right away.  Please be sure that I'm not anti-Linux
nor am I against having FUN.  Somewhere back in this list the word
"NEED" in capital letters were used by someone with regard to firewall
and VPN all on one box.  If you have is a serious NEED, then the
professional thing to do is to evaluate the risk and peg your investment
on the mitigation of that risk.  If the maximum cost is ZERO, the risk being
mitigated must be ZERO and the whole thing is a hobby.  Certainly,
PoPToP and Linux is the way to go.... have fun!

If there is a very, very serious risk, I'd also recommend Linux and IPsec
and a serious validation of your implementation by a seasoned team of
security analysists and break-in artists.  I'd recommend Linux because
of the ability for these analysts to assure themselves of complete freedom
from trap doors, flaws and Trojan Horses.... something that can only be
done by heavy duty inspection of the sources generating every line of
binary that runs with privilege.  This is EXPENSIVE, but I've been
involved with such work for the DoD in the distant past.

But 98% of the real-world customers out there want something much
less expensive but not as ad-hoc as "free from the web".  The RampNet,
the NETtel, Lucent's (Ascend's) Pipeline products, and probably a half
dozen other products are in the $400 to $1000 range and offer a decent
level of assurance against risk (and someone to blame if the shit hits the
fan and your boss comes down on YOU!)  Microsoft attempts to hit
the same range assurance and (incremental) cost on a PC that can do
other things as well.  ....and everyone likes to be able to blame MS.

I can't judge where your need falls on the spectrum from hobby to
high risk.  So I'm only going to comment (Monday) on what I've done
and what I know of the technology.  There is nothing in Matt's reply
that I disagree with.... including the comment that this all is probably
too far "off topic" for this mailing list!  I just wanted to make it clear
that security is something that usually requires something more than
the typical mailing list level of treatment.

- Chuck Flink   www.infosecana.com/flinkink

P.S.  I'm very interested in developing business models for open source
software that addresses the issue of assurance and accountability....
I want to see Open Source satisfy that "middle region" between hobby
and high-risk.  Read the articles at my site (above) and comment
directly by feedback to me or the discussion forum listed there.
Thanks!
-----