Security Basics mailing list archives
Re: Hardware vs Software Firewall/Router
From: "Jim Miller @ Cox" <jim_miller () cox-internet com>
Date: Thu, 3 Apr 2003 13:43:32 -0600
And another country heard from .... Linky routers do not do stateful packet inspection. To protect a home network with PC firewalls installed and little or no risk this is adequate. Better to get a firewall router that does the job, for a few dollars more, like a Checkpoint. It will do your stateful packet inspection and block attacks with known signatures. And then add an IDS or IDP to the config so you can find out who and how to protect yourself from. Then you can have some continuity to your business operations. This is a large scale problem. Better start a project and do the research, send out RFPs to get vendors to respond to your needs, then decide on the best course of action. Offloading the specs to a vendor seems like a wise way to go in your case. And remember to "trust but verify". Hugh [Jim] Miller 979/777-9546 jim_miller () cox-internet com Think globally Act locally Live tribally Love God ----- Original Message ----- From: "James Lee Gromoll" <jgromoll () hotmail com> To: <nsm () e-paradise net>; <security-basics () securityfocus com> Sent: Wednesday, April 02, 2003 1:44 PM Subject: Re: Hardware vs Software Firewall/Router
My $.02, 1. If you use software loaded on each host exposed to the web, then you
will
have failed right off since any attacker all ready hits the host before he is dealt with. 2. If you mean to use software loaded on a PC acting as a firewall, then this is a much better idea and offloads the system overhead as well. 3. If you plan to use a hardware solution, you still have somewhat of a software solution anyhow. This is because now the software is simply
burned
into PROMs or the like, but in the end it is still code subject to compromise. While it is perhaps a bit tighter than others it is still
code,
and i have faith all code can eventually be exploited. 4. I beleive the best approach is a combination of hardware and software solutions. 5. Routers are good. They can segment and isolate your net to a great degree. Some routers offer advanced features that allow a high degree of control over traffic on the net (Port filters, etc.) I would get at least one router. 6. Firewalls are also good. They definitely filter and limit traffic in
and
out of a net. It is best if you have a dedicated firewall be it an
appliance
or a PC running firewall software. 7. There are a few FREE firewalls available. IPCOP and Smoothwall are two. They require a dedicated PC with two NICs or one NIC and a modem. The set
up
is remarkably easy and a 200 MHz PC will provide quite adequate bandwidth
at
cable modem speeds and T1 speed also. 8. For the cost of a cable/DSL one port router, it is silly to not have a router. 9. A simple low $$ solution would look like this WAN/Internet | Linksys Single port Router Cost <40$ | Smoothwall PC Cost junker PC ~$100 | LAN 10. These can be setup to be remotely administered, but I beleive the Linksys still has an unresolved vulnerability when remote admin enabled. Smoothwall can use SSH for remote admin. 11. The argument that the harware firewalls have more vulns may bear credibility, since the code on them can be quite unique and once
compromised
the fix may be more difficult to implement. Basically the same argument
that
it is easier to fix a Windows bug than it is to fix a BIOS bug. It really depends on the skill level of the programmers. ps. Oh, by the way, Linksys is becoming Cisco.From: <nsm () e-paradise net> To: security-basics () securityfocus com Subject: Hardware vs Software Firewall/Router Date: 2 Apr 2003 03:11:54 -0000 I work for a consulting company that services businesses with 30 to 200 clients. Our IT Manager likes to use a Linksys, or a 3Com hardware firewall solution. He is also thinking of introducing the Symantec Raptor (I could be incorrect on the name) software solution. We are mostly a windows based firm with little *nix experience, so most software solutions are out already. My reason for posting is: I would like to provide a valid argument for not using a software solution, and making our hardware solutions a little more "upscale", say PIX, Nokia, Checkpoint etc. The IT managers argument is that he finds far less vulnerabilities in the software solutions or the Linksys and 3Com than what he does in the PIX etc. I am of course familiar with all of the basic differences, I am more so looking for valid argumentative points. Any input would be greatly appreciated. ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics_________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- Hardware vs Software Firewall/Router nsm (Apr 02)
- RE: Hardware vs Software Firewall/Router David Gillett (Apr 04)
- Re: Hardware vs Software Firewall/Router Xaos (Apr 04)
- <Possible follow-ups>
- Re: Hardware vs Software Firewall/Router James Lee Gromoll (Apr 03)
- Re: Hardware vs Software Firewall/Router Jim Miller @ Cox (Apr 04)
- Re: Hardware vs Software Firewall/Router David Vertie (Apr 04)
- RE: Hardware vs Software Firewall/Router Chris Berry (Apr 04)