Security Basics mailing list archives
RE: Firewall Hardware Recommendations
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 30 Dec 2003 09:57:38 -0800
Personally I like a firewall to do firewalling. If I want VPN, I get a VPN box, if I want proxying I get a proxy box. The All-in-One Firewall appliance is a bad idea for a scaleable architecture and systems design. WatchGuard, SonicWall and countless others throw those features in as 'supplemental features' built around the core feature, aka the firewall. But they provide those features are never really good and only provide limited control. Proxy servers are complex creatures that need a good level of TLC and the control provided by the interfaces to those firewalls is limited in that capacity. Now am I saying they should never be used, nope, but if you are thinking of setting up application level proxies I doubt an All-in-One FW is your best bet. Naren, please remember that this is a "Security BASICS" list. So providing a little information about the "Common Criteria Certifications" would be warranted and "I expect you to know" isn't. The Common Criteria Certifications, ok CC for now on, is a testing methodology and standard scoring/rating system for security systems. This isn't limited to firewalls, but can be anything with security features, I.e. Operating Systems, applications, etc. The CC is actually sprung from the Trusted Computer System Evaluation Criteria, aka The Orange Book. Has the WatchGuard firewall been EAL4/EAL4+ rated? Windows 2000 has, (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity/topics/issues/w2kccwp.asp)! On the WatchGuard site they are ICSA Certified for IPSec and VPN Standards but that's it. From their site I can't garner any information about a testing at CC SAIC's Lab. WatchGuard has only one product under the CC VPL (http://niap.nist.gov/cc-scheme/ValidatedProducts.html) in the firewall category and it's an EAL2 certification and none of the firewalls you mentioned. Application level proxies provide much more control over the data that flows through them, but fail to protect at lower levels of the OSI model, they protect at Layer 7, and 6 depending on how you look at it. But with that you have increased overhead, load and latency to do all that work. You can show your salesman side by refuting that. My layer two switch is loads faster then my other switch because it works at lower levels of the OSI and does less thinking and more work. That said, proxies provide the best protection because unlike a SPI (Stateful Packet Inspection) or ASA (Adaptive State Analysis) firewall they care about the data that is flowing at the layer 7(6) protocols while SPI and ASA are more Layer 2 through 5 oriented. But your absolutely right, everyone should have a basic understanding of the CC, so I hope the below resources will help someone out. Okdokie, off my soapbox I go. CC Information: http://www.commoncriteria.com Orange Book: http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html SAIC CCTL: http://www.saic.com/infosec/cctl.html NetScreen CC: http://www.netscreen.com/resources/certifications/ PIX CC: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pxcrt_ai.htm ASIC Architecture: http://www.synplicity.com/products/structuredasic/ OSI Model: http://www2.rad.com/networks/1994/osi/layers.htm Proxy: http://whatis.techtarget.com/definition/0,,sid9_gci212840,00.html Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Naren - Pactech [mailto:naren () pactech net] Sent: Monday, December 29, 2003 7:33 PM To: Shawn Jackson; jamesworld () intelligencia com; 'Keith Duemling' Cc: security-basics () securityfocus com Subject: RE: Firewall Hardware Recommendations Dear all .... I am not trying to one-up, but Watchguard Fireboxes Series (FB 500 to FB 4500) have something called "PROXIES" with a lot of functions and security. And it has unbeatable graphical monitoring and logging tools, all bunlded in FOC (now .. what use is a firewall is you are not sure who is doing what, in realtime !!!) Note - the entry level soho are built on Stateful inspection and the higher end V-Class are built a ASIC architecture .. I would not want to go the specifics ... BTW, take a look at the common-criteria certifications, and see what technology of firewalls are getting higher scores (I hope you are well versed with Common Criteria) If you can convince me that SPI or ASA is better than Application level proxies, I will say that you are right !!! Naren PS: we are only a reseller, and not distributor for WG, as we also resell other security products .. T. Naren Technical Manager - Pactech Pte Ltd., Singapore Infocomm Security Solutions Distribution and Services pager: +65-95778725 office: +65-62711123 fax: +65-62703919 e: naren () pactech net w: http://www.pactech.net address: Blk 211, Henderson Road, #07-02, Singapore 159552 -----Original Message----- From: Shawn Jackson [mailto:sjackson () horizonusa com] Sent: Tuesday, December 30, 2003 2:03 AM To: jamesworld () intelligencia com; Keith Duemling Cc: security-basics () securityfocus com Subject: RE: Firewall Hardware Recommendations WatchGuard more secure then PIX? Probably a sales person from another vendor gotta love them. I've protected banks with the PIX 515 and 525 series and their rock solid. Update your Secure-IOS and maintain your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now too) you don't have to pay for the VPN component. A SonicWall PRO 230 + VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but never seen, that WatchGuard in the same licensing frenzy. Can't speak for NetScreen, I've personally tried to stay away from them, they give me the willies, but it's been a while since I looked at them last. Same Q's as J. What Model? What S-IOS version? How Old, etc. Iadmit, with head held in shame, that configuring the PIX can be a pain in the arse, especially when you're working with the IPSEC end of a VPN configuration and I've never setup PPTP on a PIX, but have done so on many Cisco routers with little problems. Honestly, whoever sold you that load a bull needs help, no disrespect intended but in security facts rule the digital road and misinformation is the hazard just around the next corner. I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set aside some time today to review your logs (that built up) in full before saving them and clearing from the active log files. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Sunday, December 28, 2003 10:34 PM To: Keith Duemling Cc: security-basics () securityfocus com Subject: Re: Firewall Hardware Recommendations Keith, Curious, What cisco firewall do you currently have and what version OS is on it? Who told you that a WatchGuard firewall is more secure than a Cisco firewall? The PIX does what you are asking for. If you have information to the counter, please post. Cheers! -J At 19:32 12/23/2003, Keith Duemling wrote:
Just wanted to get some feedback from the list regarding some research
I'm
currently working on. We're replacing our existing Cisco firewall with
a
dedicated firewall hardware/software solution to provider greater
security
and VPN access. I've been looking at the Netscreen and various Watchguard products at
this
time. The current environment is as follows; - NAT environment - DMZ to host web accessible servers - 100 internal users - Extensive intranet site & visitation to several high profile B2B
sites.
- Constant 10 user VPN community. - Redundant T1 connection managed by RADware Linkproof hardware
solution.
Any recommendations would be greatly appreciated. Thanks in advance. Keith Duemling MCP -----------------------------------------------------------------------
----
-----------------------------------------------------------------------
----- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Firewall Hardware Recommendations, (continued)
- Re: Firewall Hardware Recommendations jamesworld (Dec 29)
- RE: Firewall Hardware Recommendations Ehab Abu Al -Khair (Dec 24)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 29)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Lard van den Berg (Dec 30)
- RE: Firewall Hardware Recommendations Naren - Pactech (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- Re: Firewall Hardware Recommendations Naren (Dec 31)
- Re: Firewall Hardware Recommendations Scott M. Algatt (Dec 31)
- RE: Firewall Hardware Recommendations jamesworld (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)