Security Basics mailing list archives
RE: suggestions on a good firewall
From: "dave" <dave () netmedic net>
Date: Wed, 21 May 2003 17:27:30 -0400
You might want to take a closer look at W2003; I would beg to differ on it being "locked-down". I would agree that most of the add-ons have to be added on. But it is definitely not locked down. Plus it takes about 30 minutes to lock down a W2K box, with IIS on it. If you use one of the tools/scripts out there. Or make one yourself. _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: salgak () speakeasy net [mailto:salgak () speakeasy net] Sent: Tuesday, May 20, 2003 13:30 To: Mark Ng; salgak () speakeasy net; security-basics () securityfocus com Subject: Re: suggestions on a good firewall
Agreed. A Windows box, properly locked down, can be a reliable firewall.There's an element of truth to that - but I'm not sure I'd want to be the person locking it down or keeping up to date with patches ;). I also wouldn't recommend Windows unless in an HA pair.
Which, in turn, required the Advanced Server version of Windows. With a much higher pricetag. .
There's also a very strong argument for openbsd and PF too (stability, proven track record of security) - however, it's not as manageable as some other solutions.
Any *.BSD solution can probably be a good one. The trick, of course, is having a good admin to run the system (see below)
Locking it down can be a chore, a much easier chore with Win2003 server, but still takes some expertise and finesse. I preferI've not yet had any experience with 2k3, so I can't possibly comment.
Win2003 actually ships pretty much locked down. You have to enable almost ANYTHING, including IIS. I guess MS has finally started listening to people...
hardware firewalls with a firmware basis, as they're harder to exploit, but many brands have reliability issues. I'm currently running Checkpoint and Gauntlet on Solaris, but this is a production environment I've inherited.If you're in the hardware firewall market, I quite like Netscreen and PIX. Netscreen had some issues with some software upgrades being a bit buggy
some
time recently though iirc, but on the whole, they're fairly solid
firewalls
that are easy to administer. PIX's of course don't have the pretty graphical interface, but are solid firewalls. I don't like Checkpoint,
any
firewall that comes by default with "Hidden Implied Rules" doesn't wash
with
me (is this still the case with newer versions of Checkpoint ?)
I like Netscreens as well: I used to go for SonicWalls, but in practice, especially with their smaller boxes, I've found the hardware itself to be a bit fragile, especially the power supplies. . .
For a good, relatively inexpensive firewall, I'd recommend the Linux-Mandrake firewall solution, running on commodity Intel hardware. Simple to set up, fairly easy to run, easy to maintain.Smoothwall definitely has its merits in this arena - and by extension I'd imagine IPcop does too.
I like Mandrake for the interface and smooth install: a bonus for inexperienced admins, especially ones new to *nix. . .
2. What can my sysadmin handle ? A Junior MCSE handed aTo be honest, I don't really think an MCSE with small amounts of job experience should ever be handed main security responsibility. There's merit to outsourcing security functions in this event if you're too small
to
justify full time security staff or experienced systems administrators
with
security experience. Any firewall configured badly is a bad firewall, be
it
IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever.
Many years ago, I **WAS** that junior MCSE handed that Slackware firewall. And all of site security, for a small corporation. However, I was already playing with Linux (RedHat 4-ish days), and so wasn't totally lost. As opposed to the ongoing joke about the MS Certified Linux Specialist: upon detection of a Linux system, insert a DOS boot floppy, FDISK /MBR, and install Windows. . . <g> Of course, that's also where I got my start of Solaris as well. . . <g> Regards Keith --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Daniel B. Cid (May 22)
- RE: suggestions on a good firewall silvia ghezzi (May 22)
- RE: suggestions on a good firewall lassal (May 23)
- Re: suggestions on a good firewall Andreas Happe (May 22)
- RE: suggestions on a good firewall Daniel R. Miessler (May 21)
- RE: suggestions on a good firewall Jon Pastore (May 30)
- RE: suggestions on a good firewall Mark Ng (May 21)
- RE: suggestions on a good firewall dave (May 22)
- Re: suggestions on a good firewall planz (May 22)
- RE: suggestions on a good firewall Jim Barrett (May 22)
- RE: suggestions on a good firewall Des Ward (May 23)
- RE: suggestions on a good firewall David Gillett (May 22)