Firewall Wizards mailing list archives

Re: Firewall bake-off?

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Thu, 22 Mar 2007 22:45:44 +0100

Hi, all!

On Thu, Mar 22, 2007 at 12:12:54PM -0500, Carric Dooley wrote:

.. and it's probably been 7 years since I've seen it.. it does not have a 
huge install base, and I'm surprised to even here anyone reference it.  
I'm not saying it's bad, just that see it rarely enough to say "never". 
The airforce liked SecureComputing...


So, you missed the most amazing improvements ;-)

Secure Computing acquired the Gauntlet division from
Network Assoicates and merged the features of what once
was Gauntlet 6.0 and Sidewinder 5.2 into the Sidewinder G2
product line.

I'm biased, I'm selling the product, but bear with me for a
minute ...

What makes me like the product:

- default deny
- proxy everything
- best coverage of protocols in the industy, i.e.
  the firewall does not just pass port 443 through - if
  the session doesn't start with a proper TLS handshake,
  the traffic is blocked, same for HTTP, MS SQL, lots of
  proxies that are not just "plugs"
- you can still use packet filters if you insist

And, pardon, another poster mentioned Pix and familiarity
with IOS ... that's simply not a valid criteria for a firewall.
Period.

I know Pix only up to 6.latest but this box doesn't know a bit
about what's going on inside the traffic it passes. Nothing.

I came up with a very simple litmus test for firewalls and
their "deep inspection" aka "application level intelligence",
whatever you want to call it:

1. Define an "inside" network and an "outside" network that represents
   "the Internet".

2. Permit: initiated from "inside" to "arbitrary server outside"
   HTTP + HTTPS
   (including absolutely necessary things like DNS ...)

3. Try to use Skype on a Windows machine on the "inside".

4. If it works, your so called firewall is a piece of crap.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall bake-off?, (continued)
- - - Re: Firewall bake-off? Jim MacLeod (Mar 19)
    - Message not available
    - Re: Firewall bake-off? Marcus J. Ranum (Mar 19)
    - Re: Firewall bake-off? Carric Dooley (Mar 22)
    - Re: Firewall bake-off? Carson Gaspar (Mar 21)
    - Re: Firewall bake-off? Zachary Grafton (Mar 21)
    - Re: Firewall bake-off? Jim MacLeod (Mar 21)
    - Re: Firewall bake-off? Zachary Grafton (Mar 21)
    - Re: Firewall bake-off? Patrick M. Hausen (Mar 21)
    - Re: Firewall bake-off? K K (Mar 21)
  - Re: Firewall bake-off? Carric Dooley (Mar 22)
    - Re: Firewall bake-off? Patrick M. Hausen (Mar 22)