RE: Hardware vs. Software firewall reliability

["Garrahan, Kelvin" <Kelvin.Garrahan () compaq com>]

Hi,

I agree with the process of hardening the NT Server that the Firewall should
sit on. This goes for other systems that I would layer a Firewall onto. I
know I would probably be laughed off the discussion group but one thing I
liked about AltaVista firewall is that it automatically went through a lot
of the hardening NT processes when it is being installed. Another thing when
installed it come up in a secured state, unlike Firewall-1.

I am currently working on a script that automates the majority of the NT
hardening tasks, "playing with the registry stuff". There is some good links
on phoneboy.com to hardening NT specifically for Firewall-1.

I am not saying that AltaVista is better than Firewall-1, but I think that
the main issue surrounding the deployment of Firewall-1 is that it is too
ease to setup in a unsecured manner. This maybe true for other Firewalls, I
am sure we all have opinions on that one.

One thing that I am doing now on NT machines that I am preparing for a
Firewall is to run a scanner on the machine, i.e. ISS or CyberCop. It maybe
overkill but I like to do it as a quality check before I install the
Firewall. With hardware Firewalls do we take it for granted that they are
secured at the OS level, Nokia's IP Firewall range to the best of my
knowledge has not received the ITSEC certification.

This leads me to a concern, as we know with "Hardware Firewalls" like PIX
and Nokia, they basically run on a proprietary OS, or cut down version like
Nokia's FreeBSD. Surely there exist weaknesses in these systems, while they
may not be widely know like Unix or NT cracks, an elite few maybe able to
leverage them to compromise a system. 

I guess this is a strong reason for looking towards an IDS system to monitor
what traffic is heading towards and through your Firewall!

regards

Kelvin

Compaq Network Services
Security Consultant.