Security Basics mailing list archives
RE: client firewall recommendations
From: "HOULE, FRANCIS" <francis.houle () bell ca>
Date: Tue, 21 Oct 2003 10:03:45 -0400
You must also consider performance issues. Like the maximum number of sessions, throughput, number of user that can be behind it... A linksys only provide 512 simultaneous sessions. It is fairly easy to kill the box with a peak of traffic generating a lot of new sessions. Let me tell you that the cable modem is enough to generate suffisient number of session to kill a linksys and/or dlink SOHO boxe. I would recommand either a PIX 501 or Netscreen. PIX has a nice JAVA GUI if you're not excited in command line. It works fine, altough some commands are still not supported. Netscreen is also very nice. It has a Very nice and intuitive WEBUI. It's has all the granularity of a PIX or checkpoint and even more. A lot of nice features are available and no major bugs are knows. A good support group and developer are working very hard to provide a stable and scalable image for the several boxes. (www.netscreen.com). Hope it helps you choose the good solution. -- Francis Houle -----Original Message----- From: Paul Stewart [mailto:paul () lexnetinc com] Sent: Tuesday, October 07, 2003 4:34 PM To: security-basics () securityfocus com Subject: Re: client firewall recommendations In-Reply-To: <20031006181739.27534.qmail () sf-www2-symnsj securityfocus com> In an outbound only configuration, the main advantage that I can see is stateful packet filtering. When using a simple nat gateway like linksys or dlink, what you have is translations that are set up at connect time. These are tracked on a port by port basis. This happens as well on a pix. However, in addition, the pix tracks the state of the packets and closes the temporary hole as soon as it is safe to do so. Also, the packets are compared to what the Pix thinks its sequence numbers and other attributes of the packet should be. This is not the case on the inexpensive solutions. Another thing to consider is have you installed a pix before. The command line is non-intuitive, if you have not used it before. Newer Pix version have a web interface installed by default, but I never configure them using that method and will therefore not comment on it.
Received: (qmail 4133 invoked from network); 6 Oct 2003 20:28:13 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
by mail.securityfocus.com with SMTP; 6 Oct 2003 20:28:13 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3947EA35FF; Mon, 6 Oct 2003 14:19:40 -0600 (MDT)
Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <security-basics.list-id.securityfocus.com>
List-Post: <mailto:security-basics () securityfocus com>
List-Help: <mailto:security-basics-help () securityfocus com>
List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
Delivered-To: mailing list security-basics () securityfocus com
Delivered-To: moderator for security-basics () securityfocus com
Received: (qmail 26633 invoked from network); 6 Oct 2003 12:14:00 -0000
Date: 6 Oct 2003 18:17:39 -0000
Message-ID: <20031006181739.27534.qmail () sf-www2-symnsj securityfocus com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: Dana Rawson <absolutezero273c () nzoomail com>
To: security-basics () securityfocus com
Subject: client firewall recommendations
Please forgive me for asking such a basic question, but I can't seem to
find the answers I'm looking for.
I have a client installing a cable modem at his business. He called me
up asking if I would bless the installation of a Linksys BEFSX41 EtherFast firewall at $75 that co-workers recommended, after I recommended the Cisco PIX 501 at $500+.
That would be acceptable to me if it were as secure as the PIX 501. Trouble is I haven't got experience with either product to have a preference, and I would rather not make a recommendation without having
more knowledge, and possibly be held liable in the future should a security lapse occur.
Is one more secure than another?
Thanks in advance.
-----------------------------------------------------------------------
----
-----------------------------------------------------------------------
-----
------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- client firewall recommendations Dana Rawson (Oct 06)
- <Possible follow-ups>
- RE: client firewall recommendations Hagen, Eric (Oct 06)
- Re: client firewall recommendations Dana Rawson (Oct 07)
- Re: client firewall recommendations Paul Stewart (Oct 08)
- RE: client firewall recommendations HOULE, FRANCIS (Oct 21)