Security Basics mailing list archives

RE: Firewall Hardware Recommendations

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Tue, 30 Dec 2003 09:57:38 -0800


        Personally I like a firewall to do firewalling. If I want VPN, I
get a VPN box, if I want proxying I get a proxy box. The All-in-One
Firewall appliance is a bad idea for a scaleable architecture and
systems design. WatchGuard, SonicWall and countless others throw those
features in as 'supplemental features' built around the core feature,
aka the firewall. But they provide those features are never really good
and only provide limited control. Proxy servers are complex creatures
that need a good level of TLC and the control provided by the interfaces
to those firewalls is limited in that capacity. Now am I saying they
should never be used, nope, but if you are thinking of setting up
application level proxies I doubt an All-in-One FW is your best bet.

Naren, please remember that this is a "Security BASICS" list. So
providing a little information about the "Common Criteria
Certifications" would be warranted and "I expect you to know" isn't. The
Common Criteria Certifications, ok CC for now on, is a testing
methodology and standard scoring/rating system for security systems.
This isn't limited to firewalls, but can be anything with security
features, I.e. Operating Systems, applications, etc. The CC is actually
sprung from the Trusted Computer System Evaluation Criteria, aka The
Orange Book.

Has the WatchGuard firewall been EAL4/EAL4+ rated? Windows 2000 has,
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/topics/issues/w2kccwp.asp)! On the WatchGuard site they are ICSA
Certified for IPSec and VPN Standards but that's it. From their site I
can't garner any information about a testing at CC SAIC's Lab.
WatchGuard has only one product under the CC VPL
(http://niap.nist.gov/cc-scheme/ValidatedProducts.html) in the firewall
category and it's an EAL2 certification and none of the firewalls you
mentioned.

Application level proxies provide much more control over the data that
flows through them, but fail to protect at lower levels of the OSI
model, they protect at Layer 7, and 6 depending on how you look at it.
But with that you have increased overhead, load and latency to do all
that work. You can show your salesman side by refuting that. My layer
two switch is loads faster then my other switch because it works at
lower levels of the OSI and does less thinking and more work. That said,
proxies provide the best protection because unlike a SPI (Stateful
Packet Inspection) or ASA (Adaptive State Analysis) firewall they care
about the data that is flowing at the layer 7(6) protocols while SPI and
ASA are more Layer 2 through 5 oriented. 

But your absolutely right, everyone should have a basic understanding of
the CC, so I hope the below resources will help someone out. Okdokie,
off my soapbox I go. 

CC Information: http://www.commoncriteria.com 

Orange Book:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

SAIC CCTL: http://www.saic.com/infosec/cctl.html

NetScreen CC: http://www.netscreen.com/resources/certifications/
PIX CC:
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pxcrt_ai.htm

ASIC Architecture: http://www.synplicity.com/products/structuredasic/

OSI Model: http://www2.rad.com/networks/1994/osi/layers.htm

Proxy: http://whatis.techtarget.com/definition/0,,sid9_gci212840,00.html


Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Naren - Pactech [mailto:naren () pactech net] 
Sent: Monday, December 29, 2003 7:33 PM
To: Shawn Jackson; jamesworld () intelligencia com; 'Keith Duemling'
Cc: security-basics () securityfocus com
Subject: RE: Firewall Hardware Recommendations

Dear all  ....

I am not trying to one-up, but Watchguard Fireboxes Series (FB 500 to FB
4500) have something called "PROXIES" with a lot of functions and
security. And it has unbeatable graphical monitoring and logging tools,
all bunlded in FOC (now .. what use is a firewall is you are not sure
who is doing what, in realtime !!!)

Note - the entry level soho are built on Stateful inspection and the
higher end V-Class are built a ASIC architecture .. I would not want to
go the specifics ...

BTW, take a look at the common-criteria certifications, and see what
technology of firewalls are getting higher scores (I hope you are well
versed with Common Criteria) 

If you can convince me that SPI or ASA is better than Application level
proxies, I will say that you are right !!!

Naren

PS: we are only a reseller, and not distributor for WG, as we also
resell other security products .. 

T. Naren 
Technical Manager - Pactech Pte Ltd., Singapore
Infocomm Security Solutions Distribution and Services
pager: +65-95778725
office: +65-62711123 fax: +65-62703919
e: naren () pactech net  w: http://www.pactech.net
address: 
Blk 211, Henderson Road, #07-02, Singapore 159552



-----Original Message-----
From: Shawn Jackson [mailto:sjackson () horizonusa com]
Sent: Tuesday, December 30, 2003 2:03 AM
To: jamesworld () intelligencia com; Keith Duemling
Cc: security-basics () securityfocus com
Subject: RE: Firewall Hardware Recommendations



        WatchGuard more secure then PIX? Probably a sales person from
another vendor gotta love them. I've protected banks with the PIX 515
and 525 series and their rock solid. Update your Secure-IOS and maintain
your ACL's and your golden. Unlike SonicWall (maybe even WatchGuard now
too) you don't have to pay for the VPN component. A SonicWall PRO 230 +
VPN Licensees + Client Licensees = More then a PIX 515. I've heard, but
never seen, that WatchGuard in the same licensing frenzy. Can't speak
for NetScreen, I've personally tried to stay away from them, they give
me the willies, but it's been a while since I looked at them last.

        Same Q's as J. What Model? What S-IOS version? How Old, etc.
Iadmit, with head held in shame, that configuring the PIX can be a pain
in the arse, especially when you're working with the IPSEC end of a VPN
configuration and I've never setup PPTP on a PIX, but have done so on
many Cisco routers with little problems.

        Honestly, whoever sold you that load a bull needs help, no
disrespect intended but in security facts rule the digital road and
misinformation is the hazard just around the next corner.

I hope EVERYONE had a safe and uneventful Christmas + Boxing Day. Set
aside some time today to review your logs (that built up) in full before
saving them and clearing from the active log files.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com]

Sent: Sunday, December 28, 2003 10:34 PM
To: Keith Duemling
Cc: security-basics () securityfocus com
Subject: Re: Firewall Hardware Recommendations

Keith,

Curious,  What cisco firewall do you currently have and what version OS
is 
on it?

Who told you that a WatchGuard firewall is more secure than a Cisco
firewall?

The PIX does what you are asking for.  If you have information to the 
counter, please post.

Cheers!
-J

At 19:32 12/23/2003, Keith Duemling wrote:

Just wanted to get some feedback from the list regarding some research

I'm

currently working on.  We're replacing our existing Cisco firewall with

dedicated firewall hardware/software solution to provider greater

security

and VPN access.

I've been looking at the Netscreen and various Watchguard products at

this

time.  The current environment is as follows;

- NAT environment
- DMZ to host web accessible servers
- 100 internal users
- Extensive intranet site & visitation to several high profile B2B

sites.

- Constant 10 user VPN community.
- Redundant T1 connection managed by RADware Linkproof hardware

solution.


Any recommendations would be greatly appreciated.  Thanks in advance.

Keith Duemling
MCP



-----------------------------------------------------------------------

----

-----------------------------------------------------------------------

-----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Firewall Hardware Recommendations, (continued)
- Re: Firewall Hardware Recommendations jamesworld (Dec 29)
- RE: Firewall Hardware Recommendations Ehab Abu Al -Khair (Dec 24)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 29)
  - RE: Firewall Hardware Recommendations jamesworld (Dec 30)
  - Re: Firewall Hardware Recommendations Lard van den Berg (Dec 30)
  - RE: Firewall Hardware Recommendations Naren - Pactech (Dec 30)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)
  - RE: Firewall Hardware Recommendations jamesworld (Dec 30)
    - Re: Firewall Hardware Recommendations Naren (Dec 31)
    - Re: Firewall Hardware Recommendations Scott M. Algatt (Dec 31)
- RE: Firewall Hardware Recommendations Shawn Jackson (Dec 30)