Firewall Wizards mailing list archives
Re: Proxy and Stateful together ??
From: "Jean Caron" <caronj () norac net>
Date: Mon, 18 Nov 2002 13:12:23 -0500
Bennett Todd writes: <snip>
<snip> You're right, my original post had no mention of org size. It is, however, for what I qualify to be a large size organization (25,000+ users). As for the discussion that took place in regards to doing IDS on the firewalls; In this case, the firewalls do firewalling only (proxy and packet filtering (stateful or not)), the IDS systems do IDS, the virus/content scanning systems to their part, and the VPN boxes do VPNs only... all on different boxes, even different segments. It's understood that many of the open source solutions are quite good for small to mid-size shops, labs and personal use, but with such larger organizations usually they want *support*. Good old, paid for, hotline support. In my opinion, that usually means you may, at any time of day or night, talk on the phone to some junior/new guy which *tries* to follow a list of pre-defined questions only to end up hanging up the line by mistake trying to transfer your call to the next hop *not-so-new-anymore* guy who's got a different set of "more advanced" questions. Or better yet, using a service contract to justify the lack of obligation to monitor the security scene for everything and anything, but rather rely on the fact that *someone* will call and suggest that a patch be downloaded and applied for the bug that was published three weeks before on every good list, but that no one ever heard of before the phone call. But eh, to each is own, and that's just my opinion. Not every shop is populated with experienced IT personal. In this specific shop, they want the support option. So the post was for commercially available firewalls. Thanks for all the replies received on and off list. Jean _______________________________________________While I didn't say so explicitly, I kinda figured that the initial question that launched this thread --- hybrid firewall with stateful packet filtering and application proxies on one box --- was motivated by a small shop, for which a big industrial scale firewall plant wasn't justified. It's easy to fling enough hardware at smallproblems to prevent performance from being a problem.-Bennett
firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxy and Stateful together ?? Jean Caron (Nov 15)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 16)
- Re: Proxy and Stateful together ?? Paul D. Robertson (Nov 16)
- Re: Proxy and Stateful together ?? Jean Caron (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? R. DuFresne (Nov 18)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? Jean Caron (Nov 18)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? Paul D. Robertson (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 16)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
- Re: Proxy and Stateful together ?? OpenBSD Paul D. Robertson (Nov 16)