Re: Hardware vs Software Firewall/Router

["Jim Miller @ Cox" <jim_miller () cox-internet com>]

And another country heard from ....

Linky routers do not do stateful packet inspection.  To protect a home
network with PC firewalls installed and little or no risk this is adequate.
Better to get a firewall router that does the job, for a few dollars more,
like a Checkpoint.  It will do your stateful packet inspection and block
attacks with known signatures.  And then add an IDS or IDP to the config so
you can find out who and how to protect yourself from.  Then you can have
some continuity to your business operations.

This is a large scale problem.  Better start a project and do the research,
send out RFPs to get vendors to respond to your needs, then decide on the
best course of action.  Offloading the specs to a vendor seems like a wise
way to go in your case.  And remember to "trust but verify".

Hugh [Jim] Miller
979/777-9546
jim_miller () cox-internet com
Think globally
Act locally
Live tribally
Love God



----- Original Message -----
From: "James Lee Gromoll" <jgromoll () hotmail com>
To: <nsm () e-paradise net>; <security-basics () securityfocus com>
Sent: Wednesday, April 02, 2003 1:44 PM
Subject: Re: Hardware vs Software Firewall/Router


> My $.02,
>
>
> 1. If you use software loaded on each host exposed to the web, then you
will
> have failed right off since any attacker all ready hits the host before he
> is dealt with.
>
> 2. If you mean to use software loaded on a PC acting as a firewall, then
> this is a much better idea and offloads the system overhead as well.
>
> 3. If you plan to use a hardware solution, you still have somewhat of a
> software solution anyhow. This is because now the software is simply
burned
> into PROMs or the like, but in the end it is still code subject to
> compromise. While it is perhaps a bit tighter than others it is still
code,
> and i have faith all code can eventually be exploited.
>
> 4. I beleive the best approach is a combination of hardware and software
> solutions.
>
> 5. Routers are good. They can segment and isolate your net to a great
> degree. Some routers offer advanced features that allow a high degree of
> control over traffic on the net (Port filters, etc.) I would get at least
> one router.
>
> 6. Firewalls are also good. They definitely filter and limit traffic in
and
> out of a net. It is best if you have a dedicated firewall be it an
appliance
> or a PC running firewall software.
>
> 7. There are a few FREE firewalls available. IPCOP and Smoothwall are two.
> They require a dedicated PC with two NICs or one NIC and a modem. The set
up
> is remarkably easy and a 200 MHz PC will provide quite adequate bandwidth
at
> cable modem speeds and T1 speed also.
>
> 8. For the cost of a cable/DSL one port router, it is silly to not have a
> router.
>
> 9. A simple low $$ solution would look like this
>
>                  WAN/Internet
>                      |
>           Linksys Single port Router         Cost <40$
>                      |
>                 Smoothwall PC                Cost junker PC ~$100
>                      |
>                     LAN
>
> 10. These can be setup to be remotely administered, but I beleive the
> Linksys still has an unresolved vulnerability when remote admin enabled.
> Smoothwall can use SSH for remote admin.
>
> 11. The argument that the harware firewalls have more vulns may bear
> credibility, since the code on them can be quite unique and once
compromised
> the fix may be more difficult to implement. Basically the same argument
that
> it is easier to fix a Windows bug than it is to fix a BIOS bug. It really
> depends on the skill level of the programmers.
>
> ps. Oh, by the way, Linksys is becoming Cisco.
>
> > From: <nsm () e-paradise net>
> > To: security-basics () securityfocus com
> > Subject: Hardware vs Software Firewall/Router
> > Date: 2 Apr 2003 03:11:54 -0000
> >
> >
> >
> > I work for a consulting company that services businesses with 30 to 200
> > clients. Our IT Manager likes to use a Linksys, or a 3Com hardware
> > firewall solution. He is also thinking of introducing the Symantec Raptor
> > (I could be incorrect on the name) software solution. We are mostly a
> > windows based firm with little *nix experience, so most software
> > solutions are out already.
> >
> > My reason for posting is:
> >
> > I would like to provide a valid argument for not using a software
> > solution, and making our hardware solutions a little more "upscale", say
> > PIX, Nokia, Checkpoint etc. The IT managers argument is that he finds far
> > less vulnerabilities in the software solutions or the Linksys and 3Com
> > than what he does in the PIX etc.
> >
> > I am of course familiar with all of the basic differences, I am more so
> > looking for valid argumentative points.
> >
> > Any input would be greatly appreciated.
> >
> > -------------------------------------------------------------------
> > SurfControl E-mail Filter puts the brakes on spam,
> > viruses and malicious code. Safeguard your business
> > critical communications. Download a free 30-day trial:
> > http://www.securityfocus.com/SurfControl-security-basics
>
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
>
> -------------------------------------------------------------------
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.securityfocus.com/SurfControl-security-basics


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics