Re: Firewalls, Routers, and Bears ... oh, my

[Byron Sonne <blsonne () rogers com>]

> In particular, I'd like to know the general preference for integrated
> firewall routers or other firewall hardware options versus roll-your-own
> options. 

Well, I'll fire the opening salvo here ;)

Preferences? That's easy. OpenBSD with pf and snort. Snort pretty much 
rules over anything else out there, commercial or not. Look it up. Not 
to mention you get to see the source. Tweak rules, add your own, 
whatever, it's all good. At home I'm running the personal version of 
Puresecure from Demarc, and I'm pretty happy. It is snort based and logs 
to sql.

I distrust/dislike pretty much any commercial offering right off the 
bat. Why? I think we've all seen how fast your typical businesses move 
and I'm inclined to belive that it holds true for firewall/IDS 
manufactures as well. Throw in disgustingly high licensing fees along 
with interfaces that sometimes abstract away the really low level and 
useful details... need I continue? Oh yeah... I can't see the innards 
most of the time. I'm supposed to trust this magical black box to 
implement things properly, and protect my network? No way. I don't care 
if they do have a guarantee, guarantees don't mean a thing except that 
they'll give you a refund or money when they screw up. Open source has 
them beat hands down in this regard.

Not to mention that any product that says you can just drop it in and 
basically forget it is a recipe for disaster. Would you drop your kids 
off at a private school or day-care and not keep a close eye on how 
they're doing or inquire as to any problems or abuse they might be 
subjected to? Some things, by their very nature, require careful 
attention and constant tuning. Any suggestion or course of action to the 
otherwise that is pursued is that of a fool, or the CIO who saw some 
commercial on TV last night and decided to foist the product upon his 
company.

If there's one thing I don't like, it's any product by Checkpoint, 
especially the windows ones. I think the interface is absolutely hideous 
and makes the job way harder than it needs to be. Licensing is terrible 
too, in my opinion.


--

        For good, return good. For evil, return justice.


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------