Firewall Wizards mailing list archives
Re: Multiple firewalls from different manufactureres
From: "Keith A. Glass" <salgak () speakeasy net>
Date: Fri, 28 Jan 2005 21:45:25 +0000
-----Original Message----- From: Eugene Kuznetsov [mailto:eugene () datapower com] Sent: Friday, January 28, 2005 07:35 PM To: ''Keith A. Glass'', ''Joseph S D Yao'', ''Marcus J. Ranum'' Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Multiple firewalls from different manufactureresOf Keith A. GlassYes and no. You CAN put up a decent firewalling solution using commodity computers, especially the 1-U units (Dell 1700-series, HP Proliant DL360s, etc. . ) and either Linux, Solaris (now that it's free) or some flavor of BSD, and the firewall of your choice. I just wish some of the vendors would allow their FW solution to be available outside the "appliance" vehicle (Yes, I'm talking about Symantec and Secure Computing. . .)Hmm, this is pretty interesting, because it's contrary to what I hear elsewhere. Could you talk about why you would rather get software instead of a sealed appliance -- ignoring, for the time being, the cases where the appliance includes hardware acceleration for some aspects of security processing. Is it perceived cost? Desire to reuse old hardware? Even for Checkpoint, over 50% of the business is appliance-based, maybe more now.
Yes. I would. I do not trust that which I have PERSONALLY not secured for a firewall. Things like, for instance, removing entirely suspect or known dangerous applications. . . like removing Sendmail from Solaris entirely, as opposed to just disabling S87Sendmail, etc. Not having to be beholden to s single source for parts or OS patches. Yes, a "SecureOS" is nice, but I'm trusting a vendor that it IS secure. . . until someone finds an exploit, and suddenly, because my purchasing department is a bit slow, my support contract has expired and now I can't get patches. The other nice thing about commodity gear for firewalls, is I can configure it MY way, and keep commodity spares handy. . .
Now, granted, if what you're getting from the vendor is the dreaded "server appliance" -- the same Dell 1U server with RedHat & some custom software preinstalled -- it probably doesn't matter.
Perhaps. But I'm paranoid about hardware support and supposedly secure OS's. Mind you, my IDEAL setup is a firmware-based firewall out in front that blackholes response on unopened ports, or from unauthorized addresses, and then the REAL firewall behind that, possibly with a honeypot hanging off the intermediate network, but that's often cost-prohibitive. Or, in some cases, not authorized. . . _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Multiple firewalls from different manufactureres, (continued)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 28)
- RE: Multiple firewalls from different manufactureres Eugene Kuznetsov (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres Jim Seymour (Jan 28)
- Re: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 28)
- RE: Multiple firewalls from different manufactureres Hurst, Dave (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres Behm, Jeffrey L. (Jan 28)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Message not available
- RE: Multiple firewalls from different manufactureres Marcus J. Ranum (Jan 29)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 29)
- RE: Multiple firewalls from different manufactureres Hurst, Dave (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres R. DuFresne (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)