First of all let me congradulate you for having the guts to post this
to this list. Your configuration will attract a lot of flames about
putting too much onto one box.
>From a technical standpoint, the idea has problems and it is
definitely not the best in terms of security. I'm sure that its
shortcomings will be noted in full. But let's accept your constraint
that the system must cost $2000. Perhaps you intend to field *tons* of
these systems at the offices of small companies or field sites.
Let's face it, not everyone has 10-20K to spend on a firewall.
The real question is will a site be better off after spending $2000?
Certainly. The configuration that you post will protect the site *much*
better than the alternative of having no firewall at all.
In fact your security may be *better* than that of some companies that
have bought expensive firewalls only to open up insecure services. It
really happens :(.
Now, I'm normally the guy who chirps in here about how a secure OS
could solve all of your problems -- but I don't see how you can get
there with your budget constraints. Too bad, it would help you secure
the box itself which is an admittedly a much bigger target in your
spec. You may have trouble getting that all to run on one box without
purchasing lot of expensive memory, but that's another problem.
Looks to me that you'll need a FreeBSD or Linux box on the
clone-of-the month that's cheapest. There have been some excellent
postings in months past that detail things to "harden" the OS such as
using read-only file systems, chroot etc. Accompany that with free or
public domain proxies and servers of your choice.
I further recommend that you periodically blow away the entire OS
and reload from CD or tape once in a while. But before you go down
this path, compare the cost of what you're protecting against the cost
of the firewall; see if you can open that budget up a litte :)
If you are really configuring a *single* sytem, by now you should be
aware that your salary as an engineer configuring this one of a kind
cost-cutter system will be for more expensive than $2000.
Maybe you should spend less on engineering time and more on purchase price. :)
I'm sure that may vendors will happily accept your money, and you will
gain overall because they can afford to work harder on security because
they have a larger base over which to spread the R&D costs.
Secure Systems Engineering
AT&T Bell Labs
> Low Cost Firewall: $2,000 US (hardware/software included)
> Supported Services:
> 1) TCP/IP filtering mechanism that allows for priority queuing
> 2) HTTP caching proxy support (internal and external)
> 3) FTP caching proxy support (internal and external)
> 4) GOPHER caching proxy support (internal and external)
> 5) Telnet proxy support (internal and external)
> 6) SMTP secured mail transport mechanism (inbound and outbound)
> 7) DNS Server Capability (forwarding, caching, and secondary support)
> 8) HTTP Server Support for External/Internal WWW pages
> 9) MBONE tunnel endpoint (secure internal broadcast)
> 10) IRC Client and Server support (internal and external)
> 11) WAIS caching proxy support (internal and external)
> 12) POP mail support
> 13) Automatic Status reports and cache management features.
> 14) ALL ON THE SAME MACHINE!