RE: client firewall recommendations

["HOULE, FRANCIS" <francis.houle () bell ca>]

You must also consider performance issues.  Like the maximum number of
sessions, throughput, number of user that can be behind it...  A linksys
only provide 512 simultaneous sessions.  It is fairly easy to kill the
box with a peak of traffic generating a lot of new sessions.  Let me
tell you that the cable modem is enough to generate suffisient number of
session to kill a linksys and/or dlink SOHO boxe.

I would recommand either a PIX 501 or Netscreen.  PIX has a nice JAVA
GUI if you're not excited in command line.  It works fine, altough some
commands are still not supported.  Netscreen is also very nice.  It has
a Very nice and intuitive WEBUI.  It's has all the granularity of a PIX
or checkpoint and even more.  A lot of nice features are available and
no major bugs are knows.  A good support group and developer are working
very hard to provide a stable and scalable image for the several boxes.
(www.netscreen.com).

Hope it helps you choose the good solution.

--
Francis Houle



-----Original Message-----
From: Paul Stewart [mailto:paul () lexnetinc com] 
Sent: Tuesday, October 07, 2003 4:34 PM
To: security-basics () securityfocus com
Subject: Re: client firewall recommendations


In-Reply-To:
<20031006181739.27534.qmail () sf-www2-symnsj securityfocus com>

In an outbound only configuration, the main advantage that I can see is
stateful packet filtering.  When using a simple nat gateway like linksys
or dlink, what you have is translations that are set up at connect time.
These are tracked on a port by port basis.  



This happens as well on a pix.  However, in addition, the pix tracks the
state of the packets and closes the temporary hole as soon as it is safe
to do so.  Also, the packets are compared to what the Pix thinks its
sequence numbers and other attributes of the packet should be.  This is
not the case on the inexpensive solutions.  



Another thing to consider is have you installed a pix before.  The
command line is non-intuitive, if you have not used it before.  Newer
Pix version have a web interface installed by default, but I never
configure them using that method and will therefore not comment on it.



> Received: (qmail 4133 invoked from network); 6 Oct 2003 20:28:13 -0000

> Received: from outgoing3.securityfocus.com (205.206.231.27)

>  by mail.securityfocus.com with SMTP; 6 Oct 2003 20:28:13 -0000

> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])

>       by outgoing3.securityfocus.com (Postfix) with QMQP

>       id 3947EA35FF; Mon,  6 Oct 2003 14:19:40 -0600 (MDT)

> Mailing-List: contact security-basics-help () securityfocus com; run by 
> ezmlm

> Precedence: bulk

> List-Id: <security-basics.list-id.securityfocus.com>

> List-Post: <mailto:security-basics () securityfocus com>

> List-Help: <mailto:security-basics-help () securityfocus com>

> List-Unsubscribe: 
> <mailto:security-basics-unsubscribe () securityfocus com>

> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>

> Delivered-To: mailing list security-basics () securityfocus com

> Delivered-To: moderator for security-basics () securityfocus com

> Received: (qmail 26633 invoked from network); 6 Oct 2003 12:14:00 -0000

> Date: 6 Oct 2003 18:17:39 -0000

> Message-ID: 
> <20031006181739.27534.qmail () sf-www2-symnsj securityfocus com>

> Content-Type: text/plain

> Content-Disposition: inline

> Content-Transfer-Encoding: binary

> MIME-Version: 1.0

> X-Mailer: MIME-tools 5.411 (Entity 5.404)

> From: Dana Rawson <absolutezero273c () nzoomail com>

> To: security-basics () securityfocus com

> Subject: client firewall recommendations

>

>

>

> Please forgive me for asking such a basic question, but I can't seem to

> find the answers I'm looking for.

>

> I have a client installing a cable modem at his business.  He called me

> up asking if I would bless the installation of a Linksys BEFSX41 
> EtherFast firewall at $75 that co-workers recommended, after I 
> recommended the Cisco PIX 501 at $500+.

>

> That would be acceptable to me if it were as secure as the PIX 501. 
> Trouble is I haven't got experience with either product to have a 
> preference, and I would rather not make a recommendation without having

> more knowledge, and possibly be held liable in the future should a 
> security lapse occur.

>

> Is one more secure than another?

>

> Thanks in advance.

>

> -----------------------------------------------------------------------
----

> -----------------------------------------------------------------------
-----

>

>


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----





---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------