RE: suggestions on a good firewall

["wjnorth" <wjnorth () earthlink net>]

IMHO,

By far appliance based firewalls are far more effective then O/S based
firewalls. With O/S based firewalls the threat of not only
vulnerabilities within the firewall application itself, but also
multiple vulnerabilities associated with O/S the firewall app is running
on, is very real.

Conversely, if the O/S is hardened (I've hardened both UNIX and Windows
O/S, by far Windows is the hardest) and the firewall app is locked down
(i.e. no http config, proper deny all statements are utilized, hardened
passwords, telnet eliminated, ssh implemented for remote session
configuration etc.) the threat is minimized.

The issue, in my mind, with choosing firewalls for most companies, tends
to come down to cost. Is it more or less expensive to purchase appliance
based firewalls rather then O/S based? And that really depends on a few
factors:

1. How much experience do the SA, or Network Admins have on the firewall
and/or the O/S as well
2. If O/S is chosen how long will it take to lock it down
3. How long will it take to lock down an appliance based firewall

I personally will opt for an appliance firewall hands down, some that
are pretty good (Cisco PIX...though this is a SW package running on
Cisco hardware, CyberGuard...though this does use a SCO kernel...but
implemented with multiple security levels, CheckPoint...though the best
one I've seen uses a Linux kernel). I've heard of a truly hardware based
firewall, but can't remember the name of it.

At any rate, this is just my experience/opinion

-Wesley North
Senior Information Systems Security Engineer
BAE SYSTEMS, MISSION SOLUTIONS
wesley.north () baesystems com

-----Original Message-----
From: Mike Heitz [mailto:mikeheitz () upshotmail com] 
Sent: Wednesday, May 21, 2003 9:03 AM
To: salgak () speakeasy net; Mark Ng; security-basics () securityfocus com
Subject: RE: suggestions on a good firewall


Excellent point on what can the sysadmin handle...

Being a Windows admin, any Linux or Solaris firewall I were to put in
place could probably be hacked in a matter of minutes. However, I can
make a very solid Win2K box. The opposite would be true for the serious
Linux and Unix folks on the list.

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: salgak () speakeasy net [mailto:salgak () speakeasy net] 
Sent: Tuesday, May 20, 2003 11:40 AM
To: Mark Ng; security-basics () securityfocus com
Subject: Re: suggestions on a good firewall

> -----Original Message-----
> From: Mark Ng [mailto:laptopalias1-mark () informationintelligence net]
> Sent: Tuesday, May 20, 2003 04:11 PM
> To: security-basics () securityfocus com
> Subject: RE: suggestions on a good firewall
>
> Moderator:  Please feel free to completely disregard this mail if you
think
> I am being too harsh.  Thanks.
>
> It's useful when expressing opinions to justify them.
>
> Each solution generally has it's own merits and disadvantages.
Childish
> behaviour such as "get a real" "x is better than x"(without any
> justification) is just a waste of everyones time.  There are people on
this
> list who are genuinely trying to learn about security - these people
need
> justifications, not religious fervour or fanboyism.

Agreed.

A Windows box, properly locked down, can be a reliable firewall. Locking
it down can be a chore, a much easier chore with Win2003 server, but
still takes some expertise and finesse.  I prefer hardware firewalls
with a firmware basis, as they're harder to exploit, but many brands
have reliability issues.  I'm currently running Checkpoint and Gauntlet
on Solaris, but this is a production environment I've inherited.

For a good, relatively inexpensive firewall, I'd recommend the
Linux-Mandrake firewall solution, running on commodity Intel hardware.
Simple to set up, fairly easy to run, easy to maintain.  

The REAL question to ask when picking a firewall is really two
questions:

1. What sort of threats am I defending against ?

2. What can my sysadmin handle ?  A Junior MCSE handed a Slackware
IPChains box is not going to be terribly effective, as an example. .. 



------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check
Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now! --UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----



------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check
Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now! --UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------