Re: Multiple firewalls from different manufactureres

["Keith A. Glass" <salgak () speakeasy net>]

> -----Original Message-----
> From: Eugene Kuznetsov [mailto:eugene () datapower com]
> Sent: Friday, January 28, 2005 07:35 PM
> To: ''Keith A. Glass'', ''Joseph S D Yao'', ''Marcus J. Ranum''
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Multiple firewalls from different manufactureres
>
> > Of Keith A. Glass
>
> > Yes and no.  You CAN put up a decent firewalling solution
> > using commodity computers, especially the 1-U units (Dell
> > 1700-series, HP Proliant DL360s, etc. . ) and either Linux,
> > Solaris (now that it's free) or some flavor of BSD, and the
> > firewall of your choice.  I just wish some of the vendors
> > would allow their FW solution to be available outside the
> > "appliance" vehicle (Yes, I'm talking about Symantec and
> > Secure Computing. . .)
>
> Hmm, this is pretty interesting, because it's contrary to what I hear
> elsewhere. Could you talk about why you would rather get software instead of
> a sealed appliance -- ignoring, for the time being, the cases where the
> appliance includes hardware acceleration for some aspects of security
> processing. Is it perceived cost? Desire to reuse old hardware? Even for
> Checkpoint, over 50% of the business is appliance-based, maybe more now.

Yes.  I would.  I do not trust that which I have PERSONALLY not secured for a firewall.  Things like, for instance, 
removing entirely suspect or known dangerous applications. . . like removing Sendmail from Solaris entirely, as opposed 
to just disabling S87Sendmail, etc.  Not having to be beholden to s single source for parts or OS patches.  Yes, a 
"SecureOS" is nice, but I'm trusting a vendor that it IS secure. . . until someone finds an exploit, and suddenly, 
because my purchasing department is a bit slow, my support contract has expired and now I can't get patches.  The other 
nice thing about commodity gear for firewalls, is I can configure it MY way, and keep commodity spares handy. . .

> Now, granted, if what you're getting from the vendor is the dreaded "server
> appliance" -- the same Dell 1U server with RedHat & some custom software
> preinstalled -- it probably doesn't matter.

Perhaps.   But I'm paranoid about hardware support and supposedly secure OS's.

Mind you, my IDEAL setup is a firmware-based firewall out in front that blackholes response on unopened ports, or from 
unauthorized addresses, and then the REAL firewall behind that, possibly with a honeypot hanging off the intermediate 
network, but that's often cost-prohibitive.  Or, in some cases, not authorized. . .


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards