If you are going commercial, NOTHING beats checkpoint, open source u can go with PFsense.. Regards On Mon, Feb 13, 2012 at 9:21 AM, maina <dmaishe@gmail.com> wrote:

SonicWall, or build your own with Linux or BSD systems

On Mon, Feb 13, 2012 at 9:16 AM, Tusker 21 <tusker212@gmail.com> wrote:

...

Skunks!

Anyone knows of a very good firewall? i hear cyberoam is highly recommended? any other firewall in the same league?

regards,

Tusker 21

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

---

Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

@dan wanjohi "NOTHING beats checkpoint" is very debatable..what u feel is sawa with u doesnt mean is sawa to everybody else. On Mon, Feb 13, 2012 at 9:26 AM, dan wanjohi <nadwanjohi@gmail.com> wrote:

If you are going commercial, NOTHING beats checkpoint, open source u can go with PFsense..

Regards

On Mon, Feb 13, 2012 at 9:21 AM, maina <dmaishe@gmail.com> wrote:

...

SonicWall, or build your own with Linux or BSD systems

On Mon, Feb 13, 2012 at 9:16 AM, Tusker 21 <tusker212@gmail.com> wrote:

...

Skunks!

Anyone knows of a very good firewall? i hear cyberoam is highly recommended? any other firewall in the same league?

regards,

Tusker 21

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

---

Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

Hi Tusker21, I feel it should begin with the designs of the system with respect to what you want to achieve say for the business. Based on these needs, the firewall you need will emerge as you evaluate them. Different brands have different attributes and shortfalls. -----Original Message----- From: "Denis G. Wahome" <dwahome@gmail.com> Sender: skunkworks-bounces@lists.my.co.ke Date: Mon, 13 Feb 2012 09:51:36 To: Skunkworks Mailing List<skunkworks@lists.my.co.ke> Reply-To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: Re: [Skunkworks] Firewall _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

Well if you have a decent enough router your requirements might not require a separate firewall. If you have a strict requirement for a separate firewall and you have a 'smallish' amount of traffic ie contexts to be inspected and your only requirement is to block torrents I believe everyone pretty much supports that, start with cyberoam, before checkpoint/cisco/junioper...those are pricier...if you have no issues with money Id go for an entry level ASA from cisco. On Mon, Feb 13, 2012 at 10:11 AM, Tusker 21 <tusker212@gmail.com> wrote:

@Daniel,

SOmething that is most restrictive. We want to block bit torrent and social sites. Why? Thats the requirement.

On Mon, Feb 13, 2012 at 9:51 AM, Denis G. Wahome <dwahome@gmail.com>wrote:

...

@Tusker 21

I can assist you with evaluating your needs, that is where I would suggest you begin.

R

D

On Monday, February 13, 2012, maina wrote:

...

@dan wanjohi "NOTHING beats checkpoint" is very debatable..what u feel is sawa with u doesnt mean is sawa to everybody else.

On Mon, Feb 13, 2012 at 9:26 AM, dan wanjohi <nadwanjohi@gmail.com> wrote:

...

If you are going commercial, NOTHING beats checkpoint, open source u can go with PFsense..

Regards

On Mon, Feb 13, 2012 at 9:21 AM, maina <dmaishe@gmail.com> wrote:

...

SonicWall, or build your own with Linux or BSD systems

On Mon, Feb 13, 2012 at 9:16 AM, Tusker 21 <tusker212@gmail.com>

wrote:

...

...

Skunks!

Anyone knows of a very good firewall? i hear cyberoam is highly recommended? any other firewall in the same league?

regards,

Tusker 21

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

---

Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

---

Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- **Gitau

How many machines are those you want to block from torrenting? I wouldn't go for something expensive if I were you. You can solve the problem with torrents using "Company IT Policies". On Mon, Feb 13, 2012 at 15:38, Tusker 21 <tusker212@gmail.com> wrote:

The traffic is not much but torrents are choking our bandwidth. Where can i grt this 'cyberoam' from?

On Mon, Feb 13, 2012 at 10:23 AM, John Gitau <jgitau@gmail.com> wrote:

...

Well if you have a decent enough router your requirements might not require a separate firewall. If you have a strict requirement for a separate firewall and you have a 'smallish' amount of traffic ie contexts to be inspected and your only requirement is to block torrents I believe everyone pretty much supports that, start with cyberoam, before checkpoint/cisco/junioper...those are pricier...if you have no issues with money Id go for an entry level ASA from cisco.

On Mon, Feb 13, 2012 at 10:11 AM, Tusker 21 <tusker212@gmail.com> wrote:

...

@Daniel,

SOmething that is most restrictive. We want to block bit torrent and social sites. Why? Thats the requirement.

On Mon, Feb 13, 2012 at 9:51 AM, Denis G. Wahome <dwahome@gmail.com>wrote:

...

@Tusker 21

I can assist you with evaluating your needs, that is where I would suggest you begin.

R

D

On Monday, February 13, 2012, maina wrote:

...

@dan wanjohi "NOTHING beats checkpoint" is very debatable..what u feel is sawa with u doesnt mean is sawa to everybody else.

On Mon, Feb 13, 2012 at 9:26 AM, dan wanjohi <nadwanjohi@gmail.com> wrote:

...

If you are going commercial, NOTHING beats checkpoint, open source u can go with PFsense..

Regards

On Mon, Feb 13, 2012 at 9:21 AM, maina <dmaishe@gmail.com> wrote: > > SonicWall, or build your own with Linux or BSD systems > > On Mon, Feb 13, 2012 at 9:16 AM, Tusker 21 <tusker212@gmail.com> wrote: > > Skunks! > > > > Anyone knows of a very good firewall? i hear cyberoam is highly > > recommended? > > any other firewall in the same league? > > > > regards, > > > > Tusker 21 > > > > _______________________________________________ > > Skunkworks mailing list > > Skunkworks@lists.my.co.ke > > ------------ > > List info, subscribe/unsubscribe > > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > > ------------ > > > > Skunkworks Rules > > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > > ------------ > > Other services @ http://my.co.ke > _______________________________________________ > Skunkworks mailing list > Skunkworks@lists.my.co.ke > ------------ > List info, subscribe/unsubscribe > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

---

Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- **Gitau

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. Please consider the environment before printing this email.

cyber roam recommended , i hv encountered/used it and its just the bomb!! go for that it will not let u down On 13 February 2012 16:38, Tusker 21 <tusker212@gmail.com> wrote:

Currently the machines are less than 10. But they might increase with time due to laptop users.

regards,

Maina

On Mon, Feb 13, 2012 at 4:20 PM, Odhiambo Washington <odhiambo@gmail.com>wrote:

...

How many machines are those you want to block from torrenting?

I wouldn't go for something expensive if I were you. You can solve the problem with torrents using "Company IT Policies".

On Mon, Feb 13, 2012 at 15:38, Tusker 21 <tusker212@gmail.com> wrote:

...

The traffic is not much but torrents are choking our bandwidth. Where can i grt this 'cyberoam' from?

On Mon, Feb 13, 2012 at 10:23 AM, John Gitau <jgitau@gmail.com> wrote:

...

Well if you have a decent enough router your requirements might not require a separate firewall. If you have a strict requirement for a separate firewall and you have a 'smallish' amount of traffic ie contexts to be inspected and your only requirement is to block torrents I believe everyone pretty much supports that, start with cyberoam, before checkpoint/cisco/junioper...those are pricier...if you have no issues with money Id go for an entry level ASA from cisco.

On Mon, Feb 13, 2012 at 10:11 AM, Tusker 21 <tusker212@gmail.com>wrote:

...

@Daniel,

SOmething that is most restrictive. We want to block bit torrent and social sites. Why? Thats the requirement.

On Mon, Feb 13, 2012 at 9:51 AM, Denis G. Wahome <dwahome@gmail.com>wrote:

...

@Tusker 21

I can assist you with evaluating your needs, that is where I would suggest you begin.

R

D

On Monday, February 13, 2012, maina wrote:

> @dan wanjohi "NOTHING beats checkpoint" is very debatable..what u > feel > is sawa with u doesnt mean is sawa to everybody else. > > > On Mon, Feb 13, 2012 at 9:26 AM, dan wanjohi <nadwanjohi@gmail.com> > wrote: > > If you are going commercial, NOTHING beats checkpoint, open source > u can go > > with PFsense.. > > > > Regards > > > > On Mon, Feb 13, 2012 at 9:21 AM, maina <dmaishe@gmail.com> wrote: > >> > >> SonicWall, or build your own with Linux or BSD systems > >> > >> On Mon, Feb 13, 2012 at 9:16 AM, Tusker 21 <tusker212@gmail.com> > wrote: > >> > Skunks! > >> > > >> > Anyone knows of a very good firewall? i hear cyberoam is highly > >> > recommended? > >> > any other firewall in the same league? > >> > > >> > regards, > >> > > >> > Tusker 21 > >> > > >> > _______________________________________________ > >> > Skunkworks mailing list > >> > Skunkworks@lists.my.co.ke > >> > ------------ > >> > List info, subscribe/unsubscribe > >> > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> > ------------ > >> > > >> > Skunkworks Rules > >> > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> > ------------ > >> > Other services @ http://my.co.ke > >> _______________________________________________ > >> Skunkworks mailing list > >> Skunkworks@lists.my.co.ke > >> ------------ > >> List info, subscribe/unsubscribe > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> ------------ > >> > >> Skunkworks Rules > >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> ------------ > >> Other services @ http://my.co.ke > > > > > > > > _______________________________________________ > > Skunkworks mailing list > > Skunkworks@lists.my.co.ke > > ------------ > > List info, subscribe/unsubscribe > > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > > ------------ > > > > Skunkworks Rules > > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > > ------------ > > Other services @ http://my.co.ke > _______________________________________________ > Skunkworks mailing list > Skunkworks@lists.my.co.ke > ------------ > List info, subscribe/unsubscribe > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke >

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- **Gitau

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. Please consider the environment before printing this email.

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

Aki, If i may be bold, and answer... Most of the products put across here (CheckPoint, Sonicwall, Cyberoam, ASA) all come with a subscription service that downloads / updates rules for IDS, Packet inspection, Anti-Spam etc. These updated rules, tied together with AD integration and User-based reporting, will ensure that the customer has the best protection, while getting reports and visibility into the network. The customer will not need to have RHCE,LPI certification to operate/configure. All these features in one product MUST surely cost money. Most of these products actually run on Open source platforms (Cyberoam, Sonicwall run a Linux kernel) I have not seen any free Open source product that can bundle all the features of an IDS Am currently evaluating Endian firewall Community http://www.endian.com/us/community/download/ Download: http://sourceforge.net/projects/efw/files/Development/EFW-2.5.1/EFW-COMMUNIT... Regards, ./Sam On Wed, Feb 15, 2012 at 1:49 PM, aki <aki275@gmail.com> wrote:

@Tusker, am just sharing my opinion here. I do apologise for my curt and blunt response here. Besides the few who know and have responded, am shocked that after reading your issue about torrents and bandwidth usage problems, no one and not even the so called "Open Source Product Specialists ( opps, sorry re-sellers )" have a freakin' clue what you need as a solution. All they know is what they can sell to you.

Can you please ask them how their so called Open Source Magic products are going to work with the network problems you have? For a start, can anyone who is selling NTM products and knows TCP comment on my question.. How will your NTM product help resolve Torrents, incases where the traffic is encrypted and hopping on different ports numbers, say Port 80? Will they then recommend that you block http access?!!!

@Tusker, kindly do not spend any money without them actually responding in detail to your problem.

Rgds. :-)

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

Aki. AFAIK, only Access-Kenya were doing QOS. ISP will not secure against Internal threats.. (malware infected pc's etc) This is the dilemma: FOSS is great, but it needs rocket science to set up and maintain Commercial Open source is expensive to buy, but easy to use. Tusker, please weigh the products (check their websites, review datasheets etc) and get a clue about how each device works. Then make an informed choice. Regards, ./Sam On Wed, Feb 15, 2012 at 2:41 PM, aki <aki275@gmail.com> wrote:

@Sam, nice writeup. Hope it also helps @Tusker know indepth what he is facing in the fight against torrents.

Cheers. :-)

On Wed, Feb 15, 2012 at 2:37 PM, Samuel Wachira <wachirasam@gmail.com>wrote:

...

Aki, If i may be bold, and answer...

Most of the products put across here (CheckPoint, Sonicwall, Cyberoam, ASA) all come with a subscription service that downloads / updates rules for IDS, Packet inspection, Anti-Spam etc.

These updated rules, tied together with AD integration and User-based reporting, will ensure that the customer has the best protection, while getting reports and visibility into the network. The customer will not need to have RHCE,LPI certification to operate/configure.

All these features in one product MUST surely cost money.

Most of these products actually run on Open source platforms (Cyberoam, Sonicwall run a Linux kernel)

I have not seen any free Open source product that can bundle all the features of an IDS

Am currently evaluating Endian firewall Community http://www.endian.com/us/community/download/

Download:

http://sourceforge.net/projects/efw/files/Development/EFW-2.5.1/EFW-COMMUNIT...

Regards,

./Sam

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

ISP's that do QOS, for Internet connections? The closest you'll get is an ISP that maybe has pre-configured classes for you. I don't believe anyone is currently offering this as a service for the masses. Small ISP's wouldn't even survive in such an environment. The net neutrality debate revolves around just this sort of thing. So it's not that isp's don't offer QOS, they don't do it because unless you ask for it, you won't get it. Gitau Sent from my iPad On 15 Feb 2012, at 15:58, aki <aki275@gmail.com> wrote:

@Sam, thnks for sharing. On ISPs who cannot do QOS, they need to close and go home to probably farming or raising poultry. At least if the rains don't come or the hyena does away with the chickens, they can blame someone else beyond their control. Is there no service provider left in KE who really knows their tech stuff and offers such?

Here's my argument. Why should end clients on thousands on hardware when ISPs can commercially offer the services within their network as a VAS. Rather than selling just capacity, QOS & NTM managed services should be offered too.

@Tusker, if your ISP cannot help, send them packing. Find one who cares and can offer you managed services, those who know their stuff. You are going to put money down the Torrent well, this I can guarantee you. If you still doubt, please research as @Sam suggests.

Rgds.:-)

On Wed, Feb 15, 2012 at 3:31 PM, Samuel Wachira <wachirasam@gmail.com> wrote: Aki.

AFAIK, only Access-Kenya were doing QOS.

ISP will not secure against Internal threats.. (malware infected pc's etc)

This is the dilemma: FOSS is great, but it needs rocket science to set up and maintain Commercial Open source is expensive to buy, but easy to use.

Tusker, please weigh the products (check their websites, review datasheets etc) and get a clue about how each device works.

Then make an informed choice.

Regards,

./Sam

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

Look I'm sure we're barking up the same tree. - customer buys managed services, wants torrents blocked: they get it, any ISP would do that. - you pay for plain vanilla 'Internet service'; you deal with your issues. The person starting this thread had a clear requirement, what is a good firewall to buy? Not which sort of service to buy. Safaricom, uunet,wananchi etc will all happily take your money and manage the service for you. Other third parties will also help SME's with such services. Heck im soon going to be playing in that very market. Most people can handle it for themselves, such mailing lists are supposed to help them run them if they want. This thread specifically asked about buying a firewall. We all seem to have assumed that he has not asked his ISP, or thought of ACL's. We have probably generated more noise than answers. The debate is however not bad, I'm just saying staying on thread topic helps the original poster. ISP's have no business assuming you don't want torrents, or porn even. Gitau Sent from my iPad On 15 Feb 2012, at 17:17, aki <aki275@gmail.com> wrote:

@John, QOS/IDS/NTM should be managed services, and from an ISP point of view , a no brainer. You know this very well, net neutrality has nothing to do with managed services. If a Corporate client runs on a public IP, registered well and then someone in their network runs Torrents, this raises all sorts of legal issues. The entire Corporate can be sued for piracy just because some idiot cannot afford to rent movies though its probably because of the greed culture. The risks exposes many corporates to legal risks, and Edge solutions cannot fix this problem. But so far, all that is happening is the reseller devices market grown on ignorance. None of the Edge corporates can afford the proper devices that are needed, why they don't push for managed services is all down to the skill & consumerism mentality. That's all am saying, again my apology for the bluntness. :-)

Cheers.

On Wed, Feb 15, 2012 at 5:07 PM, John Gitau <jgitau@gmail.com> wrote: ISP's that do QOS, for Internet connections? The closest you'll get is an ISP that maybe has pre-configured classes for you. I don't believe anyone is currently offering this as a service for the masses. Small ISP's wouldn't even survive in such an environment. The net neutrality debate revolves around just this sort of thing.

So it's not that isp's don't offer QOS, they don't do it because unless you ask for it, you won't get it.

Gitau

Sent from my iPad

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

@Tusker, am going to give you part of the solution, the rest cannot be on a silver plate, sorry..nothing personal. :-) As an intermediate response, request your ISP to classify the traffic of your links with a proper QOS. This should be a value added service ISPs could be providing, unless they are not aware of such things. Define your traffic on both inbound/outbound and let them implement on their network. You will save yourself plenty here. Over and Out. Asante. :-) On Wed, Feb 15, 2012 at 1:49 PM, aki <aki275@gmail.com> wrote:

@Tusker, am just sharing my opinion here. I do apologise for my curt and blunt response here. Besides the few who know and have responded, am shocked that after reading your issue about torrents and bandwidth usage problems, no one and not even the so called "Open Source Product Specialists ( opps, sorry re-sellers )" have a freakin' clue what you need as a solution. All they know is what they can sell to you.

Can you please ask them how their so called Open Source Magic products are going to work with the network problems you have? For a start, can anyone who is selling NTM products and knows TCP comment on my question.. How will your NTM product help resolve Torrents, incases where the traffic is encrypted and hopping on different ports numbers, say Port 80? Will they then recommend that you block http access?!!!

@Tusker, kindly do not spend any money without them actually responding in detail to your problem.

Rgds. :-)

@Dennis, IMHO. This and all other useless-belong in the garbage tin- Open Source egde security systems cannot handle "dark networks", ever followed what happened to wikileaks when the first DDOS was launched, then the responses came in multiples? Torrents follow the same, trying to always hide from the law, masking ports numbers and sometimes even using reserved application ports via encryption, locations and whatever they can use. For the Torrent end user, they have no idea whats really going on the network. There is a special need, and this need can only be partly implemented at core networks as an ISP or Gateways. Edge solutions can even simply run on a cisco router ALCs, why force end users to add other products? I don't blame anyone, these are the effects of consumerism or the ability to due to lack of skills. Network skills that we don't have thus people have to run blindly seeking quick fixes to their problems. Typical! Rgds. :-) On Wed, Feb 15, 2012 at 4:20 PM, Denis G. Wahome <dwahome@gmail.com> wrote:

There is Untangle<http://wiki.untangle.com/index.php/Untangle_Server_User%27s_Guide>+L7-filter<http://l7-filter.sourceforge.net/>, I have not tried it though.

R

D

Hi @Steve, :-) inline below. On Wed, Feb 15, 2012 at 6:03 PM, Steve Muchai <smuchai@gmail.com> wrote:

On Wed, Feb 15, 2012 at 4:43 PM, aki <aki275@gmail.com> wrote:

...

@Dennis, IMHO. This and all other useless-belong in the garbage tin- Open Source egde security systems cannot handle "dark networks", ever followed

Aki, Previously I've successfully blocked P2P, skype and bittorent traffic using pure open-source - DPI with application-level signature detection using Snort, feeding rules to iptables on Linux. I know it works even better now than it did then. And that's not the only way it can be done, open-source.

That was ages ago, mostly for fun and is definitely not the way Tusker wants to go. He's indicated that he needs a easy-to manage, well-supported commercial solution.

P2P and the rest have or are gone stealth, from the old days and now is a big change. Wikileaks and what followed later changed many things. In these times, how would you detect encrypted traffic on port 80 or 8080 without running a proper DPI. And trust me, even the core networks out there that make our networks look like kijiji networks, are facing very complex issues and DPI overheads. Some of these are running into Terabits DPIs that run distributed services.

...

There is a special need, and this need can only be partly implemented at core networks as an ISP or Gateways.

Edge solutions can even simply run on a cisco router ALCs, why force end users to add other products?

Bad idea. Not at the core. Back in my ISP days we had ACLs that blocked well-known bad traffic - NetBIOS, known worms etc. at the edge. But you'd just pointed out - correctly - that such traffic will get around ACLs.

The answer is managed services for customers who want their traffic managed for them - and this at a fee. Where the device that handles this sits, is debatable. Should be it a CPE? Maybe. Or somewhere in the provider network? I can't say. Some customers don't want the ISP to touch their traffic.

One size doesn't fit all.

Regards, Steve _

Managed IP services such as QOS/IDS/NTM is a must have and ISPs, Telcos need to embrace this. No one on edge networks is going to micro-manage a problem such as Torrents which keep changing their patterns when threats increase to their survivability. Even if some taka taka Open source freeware worked, it cannot keep up with the changes as itself becomes a bottleneck. Let ISPs and Telcos offer secure and managed services, and the clients will not spend much on hardware. Ofcourse, the managed services are a VAS thus offered as such. Cheers. :-)

@Steve, just one inline below, a bit provocative but light hearted. :-) On Wed, Feb 15, 2012 at 8:18 PM, Steve Muchai <smuchai@gmail.com> wrote:

...

Managed IP services such as QOS/IDS/NTM is a must have and ISPs, Telcos need to embrace this. No one on edge networks is going to micro-manage a problem such as Torrents which keep changing their patterns when threats increase to their survivability. Even if some taka taka Open source freeware worked, it cannot keep up with the changes as itself becomes a bottleneck. Let ISPs and

Depends who's running it and on what hardware, and I think it's offensive to refer to other people's work as taka taka simply because they release it open source.

Compared to enterprise and proprietary solutions that do work in the context of deployments, IMHO I can refer to the RE released versions freeware as like the total crap fit for another world that probably will die from starvation, diseases or weather changes. I think you mentioned Congo somewhere, so you have first hand experience. For a country that is totally super rich in natural resources including rare metals, where would you rate it on a scale of development? Are they still asking for bribes when you speak differently or those funny roads blocks looking for rare things? The same example applied here: If I was a CTO of a network company and serious about offering managed services, would I go and get a brand that I know will maintain continuity or will I go to the internet, hit google and go to some site where I can free software to configure which is going to take ages? RE freeware has very limited scopes, just because the web grew around it does not mean it's everything. Well, it can be everything if only people put their minds to doing things rather than waiting to be offered devices that run it in the first place. Do you remember etinc and freebsd? What about packeeter that also runs on RE clone? How many use these devices because they have no freakin' idea that they too could have developed on the TCP stack. So please, allow me the chance to insult intelligently. For a better perspective, compare that a RE OS discussion will be more about the GUI than actual functionality. Lastly, I did not even market a proprietary system here that will totally exceed many expectations, including granular controls. Open Source and Freeware marketing has to stop.. :-) Cheers.

Thans for all the comments and advise. In my opinion. How do i take charge and manage a network in a simple and efficient way. At the moment our ISP is able to give us user based reports by IP and traffic since there is no proxy or firewall in place. Torrents top the list, skype then http traffic. Objective is to block/limit torrents. commercial or open source any goes but the ideal is whatever works efficiently. From an ISP perspective, i am not sure if they are best to manage my network since altering or creating rules for different classes of traffic might not be so flexible. I have used pfsense and smoothwall before. but creating the rules was not fun. regards, On Wed, Feb 15, 2012 at 9:35 PM, Steve Muchai <smuchai@gmail.com> wrote:

On Wed, Feb 15, 2012 at 9:25 PM, aki <aki275@gmail.com> wrote:

...

@Steve, just one inline below, a bit provocative but light hearted. :-) [...] not mean it's everything. Well, it can be everything if only people put their minds to doing things rather than waiting to be offered devices that run it in the first place. Do you remember etinc and freebsd? What about packeeter that also runs on RE clone? How many use these devices because they have no freakin' idea that they too could have developed on the TCP stack. So please, allow me the chance to insult intelligently. For a better

Case closed, let's all go write firewall code and be intelligent.

I'm through with this thread, I hope it's over.

BR S _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

@Tusker21 my old style of thinking is you need to control how much bandwith a user can utilize within the network, managing bandwidth by protocols in most cases is a "waste" of time considering they change almost every second, remember even the http traffic your talking about is highly unlikely real http but a bunch of p2p traffic, Gnutella, torrents etc camouflaging as HTTP and some of the traffic could even be encrypted. NB: It's said in any network 20% of the users use or abuse 80% of the resources as long as you can deal with the 20% you will be home and dry and am sure you don't need a fancy device to do this. My 2 cents Maxwell " Tusker 21 wrote:

Thans for all the comments and advise.

In my opinion. How do i take charge and manage a network in a simple and efficient way. At the moment our ISP is able to give us user based reports by IP and traffic since there is no proxy or firewall in place.

Torrents top the list, skype then http traffic. Objective is to block/limit torrents. commercial or open source any goes but the ideal is whatever works efficiently. From an ISP perspective, i am not sure if they are best to manage my network since altering or creating rules for different classes of traffic might not be so flexible.

I have used pfsense and smoothwall before. but creating the rules was not fun.

regards,

On Wed, Feb 15, 2012 at 9:35 PM, Steve Muchai <smuchai@gmail.com <mailto:smuchai@gmail.com>> wrote:

On Wed, Feb 15, 2012 at 9:25 PM, aki <aki275@gmail.com <mailto:aki275@gmail.com>> wrote: > @Steve, just one inline below, a bit provocative but light hearted. :-) [...] > not mean it's everything. Well, it can be everything if only people put > their minds to doing things rather than waiting to be offered devices that > run it in the first place. Do you remember etinc and freebsd? What about > packeeter that also runs on RE clone? How many use these devices because > they have no freakin' idea that they too could have developed on the TCP > stack. So please, allow me the chance to insult intelligently. For a better

Case closed, let's all go write firewall code and be intelligent.

I'm through with this thread, I hope it's over.

BR S _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke <mailto:Skunkworks@lists.my.co.ke> ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 <http://my.co.ke/phpbb/viewtopic.php?f=24&t=94> ------------ Other services @ http://my.co.ke

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

On Thu, Feb 16, 2012 at 11:44 AM, Ochieng Maxwell <maxwell@barua.co.ke>wrote:

@Tusker21

my old style of thinking is you need to control how much bandwith a user can utilize within the network, managing bandwidth by protocols in most cases is a "waste" of time considering they change almost every second, remember even the http traffic your talking about is highly unlikely real http but a bunch of p2p traffic, Gnutella, torrents etc camouflaging as HTTP and some of the traffic could even be encrypted.

A big +1! Thank you. Someone who finally understands torrent traffic. Great stuff @Maxwell. :-)

I know Steve and I speak from experience running isp's, I have personally run large carrier grade solutions on open source stuff. From firewalls, to proxies to mail servers, monitoring systems, radius, billing, private clouds, routers etc. I have probably designed some of the largest networks around so this is not a blind debate. And yes some people use torrents for legitimate reasons. Imagine a media house for starters. Yes it's also an opportunity to offer services like this, and yes I know people intending to do just that and others who can but don't. Oh and yes you can write a firewall too. It's all in good fun. I still insist we are way of topic as far as assisting @tusker is concerned. I don't see how a request on which firewall to buy becomes how ISPs should offer their services. And like Steve I'm done... With this one... Gitau Sent from my iPad On 15 Feb 2012, at 21:35, Steve Muchai <smuchai@gmail.com> wrote:

On Wed, Feb 15, 2012 at 9:25 PM, aki <aki275@gmail.com> wrote:

...

@Steve, just one inline below, a bit provocative but light hearted. :-) [...] not mean it's everything. Well, it can be everything if only people put their minds to doing things rather than waiting to be offered devices that run it in the first place. Do you remember etinc and freebsd? What about packeeter that also runs on RE clone? How many use these devices because they have no freakin' idea that they too could have developed on the TCP stack. So please, allow me the chance to insult intelligently. For a better

Case closed, let's all go write firewall code and be intelligent.

I'm through with this thread, I hope it's over.

BR S _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------

Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke

@Gentlemen, I rest my case. Sorry I have to be a bit blunt here. IMHO, You all have run or designed networks from devices point of view where Open Source/Free Software existed as a pure free-pluggable solutions designed by some morons who were looking to fund their projects through free use and public use, thus probably the most strong and primary reason why we are unable to sustain 99.99% up times on our KE networks. When the devices hang up or freeze or even have problems, the entire networks are brought down, no one has a clue except to google quickly for some patches, re-install or even worse let the situation exist until some hours have passed. If you are up to packeeter levels and beyond, then lets take this further, else please leave it as it is as we will just keep going in circles. :-) @Tusker, In the context that I saw you as the pedestrian crossing the street while a speeding car is around the corner, I'm really very sorry that I have to let the car hit you as I cannot save you from what's going to happen on your network. I really wish you would take my advice, rules in a useless firewall are not going to help you. For a start, ask plenty of the pirates on this list who have nothing better to do than champion for Open and Free Software , how they spoof IP addresses or use encryption so as not to get listed on various detection systems out there. I wish I worked for Anti-Piracy or some dictatorial regime , there would have been such a nice and terrible online war. :-) Am done and some thots. Best Rgds and nice evening. Cheers.

@Steve, Open Source crap does not work and you know it. No wonder KE ISPs cannot sustain reliability factors, ati SLAs on local loops. Wacha siasa, IMHO :-))) Cheers. On Thu, Feb 16, 2012 at 9:46 AM, Steve Muchai <smuchai@gmail.com> wrote:

Hi Tusker, Please take his advice, stop listening to morons like us and buy a packeteer.

BR S

On Thu, Feb 16, 2012 at 11:11 AM, Samuel Wachira <wachirasam@gmail.com> wrote:

<My two-cents>

Who initiates a torrent? Isn't it the end user, sitting behing a company computer, who has the rights to install (or run) a torrent client? If its a techie, then they would have their own computer with full rights to access the netwok?

Hi Sam, Interesting and valid point that was raised before. Apart from the technology, policies can go a long way to resolve misuse/abuse. Gitau pointed out that in come cases some users may have legit reasons to run torrents; in this case it's apparent they don't, so Tusker may want to implement this. Regards, Steve