Firewall Wizards mailing list archives

Re: Firewall licensing purpose, methods, and techniques

From: Steve R <steve.rielly () extranet co nz>
Date: Thu, 27 Sep 2001 10:34:03 +1200


Three systems we deal with class the license as any node behind the External Interface, which 
means it includes the Internal, but also any SSN/DMZ interfaces.

Realisticaly if the firewall doesn't see the IP Address, it doesn't get counted. Making internal 
routers the default route, and a switch solves 'licensing issue' in most cases, an internal proxy 
server can also as the proxy server talks to the firewall, not the individual workstations.

As far as VPN connections go, I've been told FW-1 doesn't count IPAddresses it sees coming 
in through a VPN, but something like SecureComputings Sidewinder does if an enforcement 
rule is applied to it, if it just passes them through it doesn't.

        SteveR

9/27/01 2:01:41 AM, Bruce Platt <Bruce () ei3corp com> wrote:

I am curious about how firewall vendors license their products and enforce
them.

Most vendors sell licenses with descriptive phrases like 25 users, 25-100
users, unlimited users, and so forth to describe their license tiers.  They
have a right to collect money for the use of their intellectual property.

When queried, most are vague at best as to what a "user" mean, and answer
with nodes protected by the firewall.  But does a "user" mean someone who
uses a desktop PC to web browse using the http proxy, or does a "user" mean
a mail server protected by the firewall and using the smtp proxy, or does a
"user" mean a networked printer on the protected network which will never
touch the firewall?  I have had one vendor tell me that a user is any device
with an IP stack.  

How do vendors count users?  In pre windows days one could use a ping to the
network broadcast address to count replying unix boxes.  Today one could use
the nmap code that does a "nmap -sP -PT0 network-address" to count
responding machines.  But what network address to use, the network address
on which the fw protected network exists?  What about other networks that
might also be behind the firewall?

That same vendor referred to above also allowed that they do not count.
They trust the purchaser.

Who counts today and how?  I am interested because we provide services using
PVCs over frame connections, and it's time to get a new firewall.

Regards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


Steve Rielly
Security Engineer
Extranet Technologies Limited
Level 3, 60 Cook St, Auckland, New Zealand
P.O. Box 7726, Wellesley Street, Auckland, New Zealand
Ph: +649 377 1122, Mob: 025 835530 Fax: +649 377 1109 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall licensing purpose, methods, and techniques Bruce Platt (Sep 26)
- Re: Firewall licensing purpose, methods, and techniques hesselsp (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques Don Ng (Sep 28)
- <Possible follow-ups>
- Re: Firewall licensing purpose, methods, and techniques Steve R (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques TDyson (Sep 28)