Security Basics mailing list archives
RE: suggestions on a good firewall
From: "Des Ward" <des.ward () ntlworld com>
Date: Fri, 23 May 2003 18:17:04 +0100
I've been reading this thread for a while now, and would like to make a few points: 1. People in the IT industry get VERY blinkered in regards to what they work with and don't really understand other technologies. This is what has been manifested in the immature comments exhibited over the past week. 2. I agree with general consensus that it is the security admin that makes the firewall work, not the technology. How many people are in this job because they feel passionately about security? Further more how many people take the care to properly harden servers due the fact that they are putting all their faith in one (Often expensive) line of defence. The whole point in security should be to put as many layers in as you can afford (This includes hardening of O/S, Application and passwords and applying updates to the servers). For example, how many people have Cisco routers and apply access lists to them? 3. The majority of firewalls that I have seen have @10% of their capability used and are then upgraded without fully using the technology due to ignorance. This means that the ability to provide VPNs costs a lot more than it should on, say Checkpoint FW-1 than it could on a Netscreen or Cisco PIX. 4. A 'software' firewall can be as good as a hardware one, take for example Checkpoint on a Nokia platform (The argument about software firewalls changes now, see it's all in the implementation). This is now not a general purpose O/S, but a specifically hardened one (I admit that it is also a VERY expensive solution!) 5. The bottom line is that there are inexperienced techs out there who will listen to anything that we all say in this forum... If you don't have anything to say that you cannot substantiate, then please keep quiet in the cheap seats, there are people trying to find things out!! -----Original Message----- From: Jim Barrett [mailto:jimb () ins com] Sent: 21 May 2003 17:43 To: Dan.Hemphill () warehouse com; jeffr76 () yahoo com; security-basics () securityfocus com; bloodk () prodigy net mx Subject: RE: suggestions on a good firewall Not to wade into this on one side or the other, but the basic argument for a hardware based firewall such as the Cisco PIX, the Sonicwall, the old Lucent Brick, etc., is that in such a firewall, the OS is designed specifically to support firewall functions and nothing else. In addition, hardware firewalls generally have Application Specific Integrated Circuits (ASICS) that perform the firewall functions much faster than a general purpose X86 or AMD processor. Software firewalls such as those that run on Linux, Microsoft's ISA server, Checkpoint's Firewall-1, Raptor, etc. run on top of general purpose OSes that are designed to do more than just firewall functions. While it is possible to really lock down a general purpose OS to support the firewall, it requires considerably more knowledge to do it properly. Add to this the fact that most software firewalls don't have the ASIC support, thus they are not as fast for higher volume usage. I don't group toys like the Linksys, DLINK and others into the category of true firewalls. While they do supply some measure of firewall security, in this day and age, a good firewall is going to do a lot more than simple packet filtering. A really good firewall should operate at the upper layers of the OSI model and provide for true stateful inspection of packets. Both hardware and software firewalls are capable of this. A good firewall should also provide a means for secure VPNing. The commercial products such as Cisco, Sonicwall, Raptor, and Checkpoint all do this. I'm sure that you can get similar functionality from some of the Linux based products, though you probably need to be choosy. On the other hand, Open SSH might be all you really need. Bottom line - if you really know what you are doing from a security perspective and do not need the absolute utmost in throughput, a software only firewall may be a good choice - especially Linux ones that don't come with a large OS price tag attached. On the other hand, if you are not a true expert or need very intensive throughput, you are probably better off going with a hardware based firewall if you have the cash. Jim Barrett, MCSE, CISSA, CISSP, CCNP Principal Consultant International Network Services Boston, MA (617) 319-3090 -----Original Message----- From: Dan.Hemphill () warehouse com [mailto:Dan.Hemphill () warehouse com] Sent: Wednesday, May 21, 2003 11:45 AM To: jeffr76 () yahoo com; security-basics () securityfocus com; bloodk () prodigy net mx Subject: RE: suggestions on a good firewall What the people ragging on Linux firewalls don't realize is that it is indeed a hardware firewall, as it runs on its own dedicated hardware. If you were to buy a Linksys, Netgear, or even something more expensive like Cisco, those are hardware firewalls too, but they STILL run an embedded operating system. A software firewall is a piece of software that runs on the host it's trying to protect, such as Zone Alarm, for example. I look forward to hearing the reasons (read: factual evidence) that state why a Linux firewall such as Smoothwall or Astaro are a bad idea(tm). -Dan -----Original Message----- From: Jeff [mailto:jeffr76 () yahoo com] Sent: Tuesday, May 20, 2003 12:36 PM To: security-basics () securityfocus com; Ing Bernardo Lopez Subject: Re: suggestions on a good firewall ok I'll bite Why is Linux or the others in this thread a bad idea as a firewall. I see you would recommend a hardware firewall. does this mean like a linksys or netgear or raptor or one of those type of LINUX based firewall systems. I have deployed Linux,Cisco, and raptors based firewall and the difference I have see is support and cost. Linux being the less cost and Cisco being the most. if it was my network and I was making the security policy I would chose Linux or raptor Cisco is just too much money for a personal or small company network. just my .02 Jeff ----- Original Message ----- From: "Ing Bernardo Lopez" <bloodk () prodigy net mx> To: <security-basics () securityfocus com> Sent: Monday, May 19, 2003 4:49 PM Subject: Re: suggestions on a good firewall
Yea, linux as a firewall is poor than microsoft, bether use OpenBSD or
buy a
hardware firewall... dont be a poor freak guy... On Saturday 17 May 2003 12:07, kerberus wrote:Please get a real Firewall use OpenBSD and PF On Fri, 2003-05-16 at 14:50, Tom Sevy wrote:I 2nd ipcop as a suggestion... -----Original Message----- From: Mike Moore [mailto:mike () moorecomputing net] Sent: Thursday, May 15, 2003 7:14 PM To: security-basics () securityfocus com Subject: RE: suggestions on a good firewall Or even better www.ipcop.org . A lot better support and no abuse.-----Original Message----- From: Dan Tesch [mailto:dantel () rb-group com] Sent: Wednesday, May 14, 2003 1:37 PM To: Beaney, Derek; security-basics () securityfocus com Subject: Re: suggestions on a good firewall Try www.smoothwall.org Beaney, Derek wrote:im planning on making a firewall for my home system.. I am
running
windowsXP / SuSE 8.1 dual boot what I want to do is set up
another
computer to act as a firewall for my main system. what Iwant this todo is to be able to control what enters and leaves my system
with a
way to set up permissions. preferably I would like to have afirewallrunning on either a Linux or Unix os ... no m$ =) tia-------------------------------------------------------------- ------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics -------------------------------------------------------------- --------------
------------------------------------------------------------------------ -
-- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check
Point,
Hacking & Assessment, Cisco Security, Wireless Security & more!
Register
Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------ -
---
------------------------------------------------------------------------ -
-- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check
Point,
Hacking & Assessment, Cisco Security, Wireless Security & more!
Register
Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------ -
---
------------------------------------------------------------------------ -- -
Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check
Point,
Hacking & Assessment, Cisco Security, Wireless Security & more!
Register
Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------ -- -
-
------------------------------------------------------------------------ -- -
Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check
Point,
Hacking & Assessment, Cisco Security, Wireless Security & more!
Register Now!
--UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------ -- -- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Dana Rawson (May 23)
- Re: suggestions on a good firewall Danny (May 26)
- Re: suggestions on a good firewall Jason Dixon (May 28)
- Re[2]: suggestions on a good firewall Malte von dem Hagen (May 28)
- Re: Re[2]: suggestions on a good firewall Jason Dixon (May 29)
- Re: suggestions on a good firewall Danny (May 26)
- RE: suggestions on a good firewall dave (May 26)
- RE: suggestions on a good firewall Daniel Cid (May 26)
- RE: suggestions on a good firewall Trevor (May 26)
- RE: suggestions on a good firewall Dana Rawson (May 23)
- RE: suggestions on a good firewall dave (May 23)
- RE: suggestions on a good firewall Christopher Harrington (May 23)
- RE: suggestions on a good firewall Des Ward (May 26)
- RE: Re[4]: suggestions on a good firewall Christopher Harrington (May 26)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall David Moisan (May 27)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall Christopher Harrington (May 26)
- Re: RE: suggestions on a good firewall Spencer Hall (May 27)
- RE: suggestions on a good firewall Chris Berry (May 27)
- RE: RE: suggestions on a good firewall DeGennaro, Gregory (May 28)
- RE: suggestions on a good firewall Christopher Harrington (May 28)
- RE: suggestions on a good firewall David Ellis (May 28)