Firewall Wizards mailing list archives
Re: Firewall licensing purpose, methods, and techniques
From: Steve R <steve.rielly () extranet co nz>
Date: Thu, 27 Sep 2001 10:34:03 +1200
Three systems we deal with class the license as any node behind the External Interface, which means it includes the Internal, but also any SSN/DMZ interfaces. Realisticaly if the firewall doesn't see the IP Address, it doesn't get counted. Making internal routers the default route, and a switch solves 'licensing issue' in most cases, an internal proxy server can also as the proxy server talks to the firewall, not the individual workstations. As far as VPN connections go, I've been told FW-1 doesn't count IPAddresses it sees coming in through a VPN, but something like SecureComputings Sidewinder does if an enforcement rule is applied to it, if it just passes them through it doesn't. SteveR 9/27/01 2:01:41 AM, Bruce Platt <Bruce () ei3corp com> wrote:
I am curious about how firewall vendors license their products and enforce them. Most vendors sell licenses with descriptive phrases like 25 users, 25-100 users, unlimited users, and so forth to describe their license tiers. They have a right to collect money for the use of their intellectual property. When queried, most are vague at best as to what a "user" mean, and answer with nodes protected by the firewall. But does a "user" mean someone who uses a desktop PC to web browse using the http proxy, or does a "user" mean a mail server protected by the firewall and using the smtp proxy, or does a "user" mean a networked printer on the protected network which will never touch the firewall? I have had one vendor tell me that a user is any device with an IP stack. How do vendors count users? In pre windows days one could use a ping to the network broadcast address to count replying unix boxes. Today one could use the nmap code that does a "nmap -sP -PT0 network-address" to count responding machines. But what network address to use, the network address on which the fw protected network exists? What about other networks that might also be behind the firewall? That same vendor referred to above also allowed that they do not count. They trust the purchaser. Who counts today and how? I am interested because we provide services using PVCs over frame connections, and it's time to get a new firewall. Regards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Steve Rielly Security Engineer Extranet Technologies Limited Level 3, 60 Cook St, Auckland, New Zealand P.O. Box 7726, Wellesley Street, Auckland, New Zealand Ph: +649 377 1122, Mob: 025 835530 Fax: +649 377 1109 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall licensing purpose, methods, and techniques Bruce Platt (Sep 26)
- Re: Firewall licensing purpose, methods, and techniques hesselsp (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques Don Ng (Sep 28)
- <Possible follow-ups>
- Re: Firewall licensing purpose, methods, and techniques Steve R (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques TDyson (Sep 28)