Security Basics mailing list archives
RE: suggestions on a good firewall
From: "dave" <dave () netmedic net>
Date: Fri, 23 May 2003 21:24:35 -0400
Did we not just have this same Argument/Topic last month? I believe we brought up the point that even appliances have an OS of some-sort. Otherwise we would have to replace the whole appliance every time there was an update. Dave _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: wjnorth [mailto:wjnorth () earthlink net] Sent: Thursday, May 22, 2003 13:38 To: 'Mike Heitz'; salgak () speakeasy net; 'Mark Ng'; security-basics () securityfocus com Subject: RE: suggestions on a good firewall IMHO, By far appliance based firewalls are far more effective then O/S based firewalls. With O/S based firewalls the threat of not only vulnerabilities within the firewall application itself, but also multiple vulnerabilities associated with O/S the firewall app is running on, is very real. Conversely, if the O/S is hardened (I've hardened both UNIX and Windows O/S, by far Windows is the hardest) and the firewall app is locked down (i.e. no http config, proper deny all statements are utilized, hardened passwords, telnet eliminated, ssh implemented for remote session configuration etc.) the threat is minimized. The issue, in my mind, with choosing firewalls for most companies, tends to come down to cost. Is it more or less expensive to purchase appliance based firewalls rather then O/S based? And that really depends on a few factors: 1. How much experience do the SA, or Network Admins have on the firewall and/or the O/S as well 2. If O/S is chosen how long will it take to lock it down 3. How long will it take to lock down an appliance based firewall I personally will opt for an appliance firewall hands down, some that are pretty good (Cisco PIX...though this is a SW package running on Cisco hardware, CyberGuard...though this does use a SCO kernel...but implemented with multiple security levels, CheckPoint...though the best one I've seen uses a Linux kernel). I've heard of a truly hardware based firewall, but can't remember the name of it. At any rate, this is just my experience/opinion -Wesley North Senior Information Systems Security Engineer BAE SYSTEMS, MISSION SOLUTIONS wesley.north () baesystems com --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Jim Barrett (May 22)
- RE: suggestions on a good firewall Des Ward (May 23)
- RE: suggestions on a good firewall David Gillett (May 22)
- RE: suggestions on a good firewall Jim Barrett (May 22)
- RE: suggestions on a good firewall Mike Heitz (May 22)
- RE: suggestions on a good firewall Potter, Tim (May 22)
- RE: suggestions on a good firewall Christopher Harrington (May 22)
- RE: suggestions on a good firewall Mann, Bobby (May 23)
- RE: suggestions on a good firewall David Ellis (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall wjnorth (May 23)
- RE: suggestions on a good firewall dave (May 26)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Chris Berry (May 23)
- RE: suggestions on a good firewall Jordan Jesse - Toronto-MROC (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Dana Rawson (May 23)
- Re: suggestions on a good firewall Danny (May 26)
- Re: suggestions on a good firewall Jason Dixon (May 28)
- Re[2]: suggestions on a good firewall Malte von dem Hagen (May 28)
- Re: Re[2]: suggestions on a good firewall Jason Dixon (May 29)
- Re: suggestions on a good firewall Danny (May 26)
- RE: suggestions on a good firewall dave (May 26)