Re: Firewall Throughput

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Patrick Darden, sie wrote:
> Hmmm, the PIX is similar to the Nokia FW1 boxes in that they are hardened
> Unix derivatives, cut to the quick, performance enhanced, with ip
> filtering, stateful connection monitoring, and packet inspection.

Yes, IPSO (FreeBSD hacked around a bit) is "interesting".  From a guy I
know working on it, I've heard ~nothing positive about it.

> Firewalls on routers have their place.  I believe in a multi-layered
> approach to security, and the first layer is having a well protected
> router that provides ingress/egress filtering (e.g. to prevent DDOS).

Something about that which intrigues me about this sort of setup is that
filtering in the router means your firewall doesn't get to log ig (for
some definition of firewall) and neither does the IDS get to analyse it.

> > Do yourself a favour and stay ignorant of the development methodology
> > that goes on "behind the scenes" with Linux.  What are they now,
> > 2.4.pre34-test83, and still making major architectural changes inside it.
> > That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> > as securely as you can BSD, plus you get source code for BSD.
>
> I'm aware of the procedure, and I also know that Linus put a freeze on new
> features months ago.  He does not make major new architectural changes to
> the betas, and very rarely to the alphas.

Excuse me.  Go read the linux kernel mailling list archives for the last
couple of weeks - I wasn't talking about features.

Darren

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards