pfsense and Smoothwall

So heres my dilemna for a project I'm working on.
I need a rather broad solution covering DNS, proxying, firewalling, VPN (both site to site and LDAP integrated user access), DHCP, supporting multiple DMZ servers along with routing support. This will act as the centre point for a 40 person network. Clearly hardware wise this will have to be quite a strong system, with load balancing being a possibility, at minimum hardware failover.

For the network security class we got asked to take a look at two firewall solutions, so whilst comparing them I also tried to see how well they would fit into the above requirements.
The firewalls looked at were pfsense and Smoothwall Express 3.0.

Lets start with pfsense.

• It is an open source effort, based on FreeBSD. I have little experience with BSD, compared to quite solid knowledge of Red Hat which Smoothwall is based on top of.
• Its feature set is huge, and rather all encompassing.
• Full Firewalling functionality, including stateful inspection and fingerprinting.
• NAT support, which I may or may not implement at this level within the above mentioned project.
• pfsense does support hardware failover, however the backup server does nothing normally, and only kicks in in the case of failure on the main server. IT also requires another static public IP, which could be a problem depending on the ADSL package I end up going with.
• Load Balancing is supported, only equal however. The ADSL lines I will be going with for the project will be balanced using a Billion Biguard 30, so this is only really important for DMZ servers etc.
• VPN: This is probably going to be the deal breaker. pfsense supports site to site links, along with PPTP style links including RADIUS server support, exactly what I need.
  
• DHCP serving is present, along with some proxying abilities.

Now lets have a look at Smoothwall Express 3.0

• As this is namely a firewall, its Firewall is quite full featured just like pfsense, including stateful inspection.
• NAT support is a bit of an unknown, and not explicitly mentioned, but this is probably not a huge deal as I will have the Biguard 30 handle this.
  
• Basic DHCP serving is supported, and due to its being based on RHEL, this shouldn't be that hard to expand apon.
• Proxy support is quite limited, but my proxy needs only include basic http proxying.
• Heres the big problem: VPN support is very limited in the free package. Site to Site is supported, but there is no included support for PPTP or RADIUS authentication.
  
• Multiple DMZ servers are also not supported, so another requirement is not met.
• No inbuilt hardware failover.

What must be included within Smoothwall's features is its large library of community driven upgrade modules. This however will most certainly require more work to setup and configure then the rather all inclusize pfsense for the project needs.
At this point, for both the network security class and the project needs, pfsense seems to be the winner.

Intro + DNS BailiWicked

Welcome to my brand new blog!
(yay >_>)
My name is Andrew Herzog, and I am a IT Network Security student in Australia within TAFE.
This is something of a forced effort, I really don't enjoy writing my thoughts down for the world to see... but hey might as well make the best of it.
Within this blog all I'll really be doing is putting into the blogosphere some of my (not so important) thoughts on Networking, security and some of the more interesting vulnerabilities and hardware/ software I encounter as I complete my studies.

So now that introductions are out of the way, lets get right into something that is quite common news already, but hey I only really discovered the depths of the vulnerability and exploits of it today.
Unpatched DNS servers have been found to be easily exploitable using Kaminsky's DNS poisoning flaw. What this means is that its rather easy at the moment to launch a man in the middle attack against clients.
Metasploit is what seems to be an awesome set of tools which are used to discover vulnerabilities within your network. Within 15 days of this DNS poisoning flaw being discovered Metasploit already included modules which could be used to inject fake DNS records into DNS servers.
http://blog.metasploit.com/2008/07/bailiwicked.html
Now what really scares me at this point is this post including a video I discovered along with Metasploit.
http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html
Evilgrade uses this DNS exploit along with another flaw within many applications update mechanisms. The list is rather surprising as well, iTunes, MacOS, openOffice just to name a few. So an attacker uses metasploit to inject fake dns records onto the dns server used by the end user, then when the user begins an update instead of finding the software's website they are redirected to a malicious site, complete with a hacked executable provided by evilgrade ready to create the backdoor.

Call me misguided, but I never quite realised just how easy some of this was until recently. Its truly mind boggling how easy this attack is, just about anyone even slightly tech savvy could use it.