Re: Firewall setup

[Tina Bird <tbird () precision-guesswork com>]

Hi Elsa --

The primary question is, what level of security do
you require, and for which protocols/applications do
you require Internet access?

I've worked with Sidewinder and FW-1 for the last 5
years.  In general, unless you have the requirement 
to support a very high bandwidth connection -- which
you don't -- or some database applications (using CORBA)
that you can't get easily through the Sidewinder --
I prefer Sidewinder a lot.

FW-1 gets a lot of points in the press for being easy
to use and supported on a variety of operating systems.
But side-by-side, the person managing a FW-1 has to
be much much more experienced and careful to run that
box securely than someone managing a Sidewinder.  This
is a combination of the following factors:

1) Sidewinder has the most secure operating system 
available for commercial firewalls, at least that I've
seen.  It implements kernel-based mandatory access
controls (under Secure Computing's "Type Enforcement"
patent) that severely limit access to components of the
OS.  It's based on BSD UNIX but extensively modified.  It
scares a lot of people off because it's UNIX, but the
vast majority of system admin can be done with the GUI --
and you the end-user of the firewall are not responsible
for securing the operating system.

If you have UNIX experience, you will be able to work with
it pretty easily.

In contrast, FW-1 requires you to configure the operating
system security yourself.  There are plenty of resources
available to help with that, but it's a significant amount
of additional work.  And you have to keep up with OS patches
as well as FW-1 patches.  Sidewinder rolls them both together.

2) FW-1 requires the administrator to explicitly >turn off<
default services that are installed as soon as a rule is
added to the security policy.  Again, there are plenty of 
resources available to help walk you through this, but it
annoys me that I have to do that extra work.  Sidewinder
installs with a default security policy in place, but you
have to go in and enable the network services (proxies) 
before they're available to the internal users.  I much
prefer having to make a conscious decision to turn on things
like DNS and ping than to have that decision made for me.

3) There are a variety of ways to verify that the security
policy entered in the Sidewinder GUI is what the firewall is
actually enforcing, including reading the policy database
(which is close to natural language) and using UNIX tools like
'netstat.'

FW-1's policy code (INSPECT) is harder to read.  And as far
as I've been able to figure out, there's not any easy way to
confirm what services and rules are available to users from
the OS.  Systems that I can't independently verify make me
very nervous.

I could go on.  But you get the point.

Disclaimer:  I do not represent either Checkpoint or
Secure Computing.

cheers -- Tina Bird

On Tue, 1 Feb 2000, Korwin Elsa A CONTR wrote:

> Date: Tue, 1 Feb 2000 16:05:39 -0600 
> From: Korwin Elsa A CONTR <elsa.korwin () scott af mil>
> To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
> Subject: Firewall setup
>
> Hello, I came across this firewall mailing list and thought perhaps someone
> could help me out with my firewall.  I currently work for a military
> hospital that plans to setup a firewall for their traffic.  All traffice
> will go out to the internet via a  T-3.  
>
> My question is, which of the following firewalls will support my
> infrastructure?
>
> Firewalls:
> Checkpoint Firewall-1
> Sidewinder 4.1
>
>
> Infrastructure:  
> 1000 NT/95 workstations + 10 Windows NT servers 
> Access methond:  Ethernet and fast ethernet
> Media type:  shielded twisted pair and F/O, where needed
>
>
> Any info would be appreciated  Thanks
>
>
>
> >             Elsa A. Korwin, ACS Task Lead
> >             Information Systems Security Specialist
> >             Network Security.SGSI 
> >             O-618-256-7322 F-618-256-7822
> >             elsa.korwin () scott af mil  

"Doubt is an uncomfortable situation, but certainty is an 
absurd one." -- Voltaire