Re: Leader in firewall product

[Magosányi Árpád <mag () bunuel tii matav hu>]

> > A levelezőm azt hiszi, hogy LULLIER Thomas a következőeket írta:
[]
> > In decreasing order of secureness:

> > -Dragonfly
Dragonfly is a guard. It does Mandatory Access Control,
evaluated in EAL3 level, as far as I can remember.
You can create a very strictly secure enclave using
a public network with it. It is very good in rapidly
changing tactical environment. It is designed to be
used in wartime conditions.


> > -Zorp
Zorp is a real application-level firewall. Example:
While other firewalls can control some 5-6 aspects of a
ftp session, it can control every little detail. It is
also highly modular, which means it can handle 
protocol-wrapped-in-another situations effectively.
It also has some guard-like features. It is in early
state, but aims to be EAL3, and CC evaluated against some
LSPP-like PP. And its authentication system is just a major hit.

> > -Cyberguard
Cyberguard runs on trusted unixware. That means it has good
host security. Maybe its proxies are not as good as the others,
I haven't the time to play too much with it. (So you can put it
below Gauntlet if you like).

> > -Borderware
Borderware is just a hardened Gauntlet running on a hardened BSD.
(Okay, maybe it isnt gauntlet, but the feeling is the same).
It has an ST which claims it to be EAL4, but I cannot imagine
how could that ST got evaluated (not big issues, but I had
some formal problems with it). It seems really a secure one
for the old-type internet firewall usage, I say it from
experience. But do not hit it with big traffic.


> > -Gauntlet
Yeah, Gauntlet is Gauntlet. The standard internet firewall, designed
by MJR himself. It is among the most robust firewalls. 
It is a very good one while you are using it for what it is designed. 
But there are some mayor problems with it recently:
Problem #1 is NAI. You might be in roughly safe position when only
        your local firewall distributor knows nothing about firewalls.
        The situation is a lot worse when the product owner does the same.
        Well, shiny buttons are very important, but not for a firewall.
Problem #2 is that Gauntlet is an internet firewall. Try to use it as
        a key building block for your intranet security, and you will
        understand.


> Eh?  Gauntlet is less secure than everything mentioned so far?

It depends on what are your mean concerns of security, of course.
My main concerns are MAC and EAL in this order, because I am interested
in intranet network security.

> Would you be so kind as to explain exactly why you feel this to be the
> case?  IIRC: once-upon-a-time, Gauntlet was regarded by many as being
> the *most* robust of firewall products, security-wise.  (I'm talking
> about 'nix versions.  I care not a whit for or about NT.)

Please do not misunderstand me. Gauntlet IS a good internet firewall,
if you don't expect too much from it.

-- 
GNU GPL: csak tiszta forrásból

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards