RE: suggestions on a good firewall

["dave" <dave () netmedic net>]

You might want to take a closer look at W2003; I would beg to differ on it
being "locked-down".  I would agree that most of the add-ons have to be
added on.  But it is definitely not locked down.

Plus it takes about 30 minutes to lock down a W2K box, with IIS on it.  If
you use one of the tools/scripts out there. Or make one yourself.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

 


-----Original Message-----
From: salgak () speakeasy net [mailto:salgak () speakeasy net] 
Sent: Tuesday, May 20, 2003 13:30
To: Mark Ng; salgak () speakeasy net; security-basics () securityfocus com
Subject: Re: suggestions on a good firewall

> > Agreed.
> >
> > A Windows box, properly locked down, can be a reliable firewall.
>
> There's an element of truth to that - but I'm not sure I'd want to be the
> person locking it down or keeping up to date with patches ;).  I also
> wouldn't recommend Windows unless in an HA pair.

Which, in turn, required the Advanced Server version of Windows.  With a
much higher pricetag. . 
 
> There's also a very strong argument for openbsd and PF too (stability,
> proven track record of security) - however, it's not as manageable as some
> other solutions.

Any *.BSD solution can probably be a good one.  The trick, of course, is
having a good admin to run the system (see below)

> > Locking it down can be a chore, a much easier chore with Win2003
> > server, but still takes some expertise and finesse.  I prefer
>
> I've not yet had any experience with 2k3, so I can't possibly comment.

Win2003 actually ships pretty much locked down.  You have to enable almost
ANYTHING, including IIS.  I guess MS has finally started listening to
people...

> > hardware firewalls with a firmware basis, as they're harder to
> > exploit, but many brands have reliability issues.  I'm currently
> > running Checkpoint and Gauntlet on Solaris, but this is a
> > production environment I've inherited.
>
> If you're in the hardware firewall market, I quite like Netscreen and PIX.
> Netscreen had some issues with some software upgrades being a bit buggy
some
> time recently though iirc, but on the whole, they're fairly solid
firewalls
> that are easy to administer.  PIX's of course don't have the pretty
> graphical interface, but are solid firewalls.  I don't like Checkpoint,
any
> firewall that comes by default with "Hidden Implied Rules" doesn't wash
with
> me (is this still the case with newer versions of Checkpoint ?)

I like Netscreens as well: I used to go for SonicWalls, but in practice,
especially with their smaller boxes, I've found the hardware itself to be a
bit fragile, especially the power supplies. . .

> > For a good, relatively inexpensive firewall, I'd recommend the
> > Linux-Mandrake firewall solution, running on commodity Intel
> > hardware.  Simple to set up, fairly easy to run, easy to maintain.
>
> Smoothwall definitely has its merits in this arena - and by extension I'd
> imagine IPcop does too.

I like Mandrake for the interface and smooth install: a bonus for
inexperienced admins, especially ones new to *nix. . .

> > 2. What can my sysadmin handle ?  A Junior MCSE handed a
>
> To be honest, I don't really think an MCSE with small amounts of job
> experience should ever be handed main security responsibility.  There's
> merit to outsourcing security functions in this event if you're too small
to
> justify full time security staff or experienced systems administrators
with
> security experience.  Any firewall configured badly is a bad firewall, be
it
> IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever.

Many years ago, I **WAS** that junior MCSE handed that Slackware firewall.
And all of site security, for a small corporation. However, I was already
playing with Linux (RedHat 4-ish days), and so wasn't totally lost.  As
opposed to the ongoing joke about the MS Certified Linux Specialist: upon
detection of a Linux system, insert a DOS boot floppy, FDISK /MBR, and
install Windows. . .   <g>

Of course, that's also where I got my start of Solaris as well. . .  <g>

Regards

Keith



---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------