Since August of 2004 I have used a custom Linux firewall in my network. The firewall was built by Bob Toxen, author of Real World Linux Security, and it worked flawlessly for more than two years. When I first got it I had servers in my office and felt I needed the extra protection of a professional firewall. If you need top-notch security I can confidently recommend Bob. But I don’t need enterprise-level security anymore. I never did, really. And, while I felt quite safe behind the firewall, it’s safety had a cost in complexity that I don’t want anymore.

I no longer have any application servers running in my office. I have my basic file servers, but nothing fancy. So my firewall needs are pretty basic and today’s inexpensive, commercial firewalls are vastly improved over what was available just two years ago. I bought a little Netgear FVS124G Firewall/VPN/Router a couple of months ago for $125. I’ve had it laying around the office for a while because I knew it would take a good half-day to get the whole network changed over and tested. But today I set it up. And what a relief! I’m finally able to fix some niggling problems I’ve been living with forever.

First, I finally was able to clear and prioritize the ports for my VoIP adapter, assigning it top-level QoS ranking. After 2.5 years of having to shutdown my e-mail client and carefully monitor all UL/DL traffic on my LAN while making phone calls, I finally can ignore all that and just talk on the phone. Damn! That feels good. I made a phone call tonight while simultaneously listening to streaming audio and checking e-mail. It worked flawlessly.

I also started configuring the Netgear VPN. I haven’t been able to do this before, because I just didn’t have the expertise on Linux and it wasn’t nearly important enough to pay someone to figure it out for me. So I waited. But the Netgear setup looks pretty simple and straightforward. I’ll be testing it over the next few weeks as I have some travel to do. I look forward to being able to have seamless access to my home computers, and to being able to pop-up unexpectedly on my kids computers.

The other really cool thing the FVS124G has is two WAN ports with three modes of operation – fail-over, load balancing, and dedicated. This lets me have both a DSL and a cable-modem connection running simultaneously, with the router sharing the bandwidth between them. With my office at my house, and my connectivity subject to the vagaries of cheap-ass residential service from telco and cable monopolies, this sort of flexibility is priceless. The only feature I miss, and I could have it if I bought just a little more expensive unit, is the DMZ. I like to put an open wireless router on the DMZ so visitors can logon without hassle and I don’t have to worry about my LAN. But I’ll get that next time.

I avoid doing this sort of geek stuff much anymore – I just don’t have the time and it always seems to take me 2x, or 3x, as long as it should. But today I didn’t have any problems and the little Netgear is working flawlessly. Between the VoIP fix, the dual connections, and the simple VPN I’m in my own little nerd heaven. I know it’s not much to you real geeks. But for me it’s about as good as it gets .

CYA Security is a great article by Bruce Schneier in the current Crypt-o-Gram. I am pretty much whipped by the security theatre I now endure every time I go through an airport. How is it possible that the ninnies at DHS/TSA think we can be on “High” terror alert for 5 1/2 solid years?! From the article:

Since 9/11, we’ve spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of *why* they are so ineffective. In short: much of our country’s counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. [emphasis mine]

And this:

And finally, we’re seeing CYA security on the national level, from our politicians. We might be better off as a nation funding intelligence gathering and Arabic translators, but it’s a better re-election strategy to fund something visible but ineffective, like a national ID card or a wall between the U.S. and Mexico.