Re: web appliaction security products (AKA application firewalls)

[Skip Carter <skip () taygeta com>]

> What is the group experience with these type of devices? Any good, bad
> or horror stories about using/maintaining them? Any specific
> recommendations?

  We use them for our smaller clients with pure Internet client (i.e. no
  Internet servers on the LAN) networks.  For such simple networks they aren't
  too bad and they are very easy to set up.  They can also handle server 
NATting
  but we rarely use them once a network starts providing Internet server 
functions.
  If you have a complicated network with things like multiple segments, or 
subnetting,
  they can become awkward or impractical to use.


  Things to watch out for:

        -- if VPN is a requirement, make sure you actually get it running and
           test it.  Sometimes its not so easy, or the device is actually just
           "VPN capable"

        -- be careful of the licensing, some devices have a per system license 
structure.

        -- many have a limited number of firewall rules that can be set up,  
be sure that you
           can actually implement the policy you want on the device that you 
are considering.

        -- if its a plug-and-play firewall, turn that feature off or pick 
another device!


  We have found that many companies that make these devices will provide 
evaluation units
  to network security companiies so that you can try them out before 
recommending them to a client.



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940