Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

FW appliances, open source, and the value of a name

From: kadokev () msg net
Date: Wed, 31 Jul 2002 22:58:13 -0500 (CDT)
I guess this is where something like overall Total Cost of Ownership
(TCO) really comes into play.  I like the functionality that open source
platforms offer, and the price/performance ratio can't be beat,


When you start talking about "gigabit firewalls" and beyond, the
equation changes as you get into ASIC solutions for which there is no
"open source" equivalent.


Another issue I have run into with a number of (Linux-based) security
appliances is that the core functionality may be implemented in a secure
fashion, yet other tools included from the Linux distribution expose
a remote compromise. Often there are daemons left running only because
the default (Red Hat, etc) distribution shipped with them enabled!

I've published (a tiny subset of the many) remote compromises I have
found related to various "Linux-based appliance" commercial products,
commonly this is due to the use of "free" open source administration
tools (HTTPd, SSHd, etc).  Or the vendor has deployed an outdated version
with a known hole, and often the vendor and/or users are slow about
software updates for an "appliance" product,  And Microsoft is not the
only vendor suspected of holding back on security announcements to avoid
losing face by publishing a patch immediately after a new release.

I've also found a few instances where the software itself is secure, but
the vendor has made a simple configuration error in their default build,
replicated on every unit shipped.



but my main interest was in regards to all the hype around the PIX,
and was there really anything that set it apart from other firewall
solutions when it came to right down to the hardware.  Again, thanks
for all the feedback, and it's good to be back on this list.


I haven't really seen any hype around the PIX, and I have one of the
first models sitting on a shelf gathering dust.  Most network admins
realize (especially if you've seen one of the older models) that there
is nothing special about the hardware, and that a large part of the
price of a PIX is the Cisco name and the IOS-like administrative
interface.


Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: