Security Basics mailing list archives
RE: suggestions on a good firewall
From: "wjnorth" <wjnorth () earthlink net>
Date: Thu, 22 May 2003 10:37:44 -0700
IMHO, By far appliance based firewalls are far more effective then O/S based firewalls. With O/S based firewalls the threat of not only vulnerabilities within the firewall application itself, but also multiple vulnerabilities associated with O/S the firewall app is running on, is very real. Conversely, if the O/S is hardened (I've hardened both UNIX and Windows O/S, by far Windows is the hardest) and the firewall app is locked down (i.e. no http config, proper deny all statements are utilized, hardened passwords, telnet eliminated, ssh implemented for remote session configuration etc.) the threat is minimized. The issue, in my mind, with choosing firewalls for most companies, tends to come down to cost. Is it more or less expensive to purchase appliance based firewalls rather then O/S based? And that really depends on a few factors: 1. How much experience do the SA, or Network Admins have on the firewall and/or the O/S as well 2. If O/S is chosen how long will it take to lock it down 3. How long will it take to lock down an appliance based firewall I personally will opt for an appliance firewall hands down, some that are pretty good (Cisco PIX...though this is a SW package running on Cisco hardware, CyberGuard...though this does use a SCO kernel...but implemented with multiple security levels, CheckPoint...though the best one I've seen uses a Linux kernel). I've heard of a truly hardware based firewall, but can't remember the name of it. At any rate, this is just my experience/opinion -Wesley North Senior Information Systems Security Engineer BAE SYSTEMS, MISSION SOLUTIONS wesley.north () baesystems com -----Original Message----- From: Mike Heitz [mailto:mikeheitz () upshotmail com] Sent: Wednesday, May 21, 2003 9:03 AM To: salgak () speakeasy net; Mark Ng; security-basics () securityfocus com Subject: RE: suggestions on a good firewall Excellent point on what can the sysadmin handle... Being a Windows admin, any Linux or Solaris firewall I were to put in place could probably be hacked in a matter of minutes. However, I can make a very solid Win2K box. The opposite would be true for the serious Linux and Unix folks on the list. mike heitz ** sr it manager ** UPSHOT 312-943-0900 x5190 -----Original Message----- From: salgak () speakeasy net [mailto:salgak () speakeasy net] Sent: Tuesday, May 20, 2003 11:40 AM To: Mark Ng; security-basics () securityfocus com Subject: Re: suggestions on a good firewall
-----Original Message----- From: Mark Ng [mailto:laptopalias1-mark () informationintelligence net] Sent: Tuesday, May 20, 2003 04:11 PM To: security-basics () securityfocus com Subject: RE: suggestions on a good firewall Moderator: Please feel free to completely disregard this mail if you
think
I am being too harsh. Thanks. It's useful when expressing opinions to justify them. Each solution generally has it's own merits and disadvantages.
Childish
behaviour such as "get a real" "x is better than x"(without any justification) is just a waste of everyones time. There are people on
this
list who are genuinely trying to learn about security - these people
need
justifications, not religious fervour or fanboyism.
Agreed. A Windows box, properly locked down, can be a reliable firewall. Locking it down can be a chore, a much easier chore with Win2003 server, but still takes some expertise and finesse. I prefer hardware firewalls with a firmware basis, as they're harder to exploit, but many brands have reliability issues. I'm currently running Checkpoint and Gauntlet on Solaris, but this is a production environment I've inherited. For a good, relatively inexpensive firewall, I'd recommend the Linux-Mandrake firewall solution, running on commodity Intel hardware. Simple to set up, fairly easy to run, easy to maintain. The REAL question to ask when picking a firewall is really two questions: 1. What sort of threats am I defending against ? 2. What can my sysadmin handle ? A Junior MCSE handed a Slackware IPChains box is not going to be terribly effective, as an example. .. ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Dan . Hemphill (May 21)
- RE: suggestions on a good firewall Jim Barrett (May 22)
- RE: suggestions on a good firewall Des Ward (May 23)
- RE: suggestions on a good firewall David Gillett (May 22)
- RE: suggestions on a good firewall Jim Barrett (May 22)
- RE: suggestions on a good firewall Mike Heitz (May 22)
- RE: suggestions on a good firewall Potter, Tim (May 22)
- RE: suggestions on a good firewall Christopher Harrington (May 22)
- RE: suggestions on a good firewall Mann, Bobby (May 23)
- RE: suggestions on a good firewall David Ellis (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall wjnorth (May 23)
- RE: suggestions on a good firewall dave (May 26)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Chris Berry (May 23)
- RE: suggestions on a good firewall Jordan Jesse - Toronto-MROC (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Dana Rawson (May 23)
- Re: suggestions on a good firewall Danny (May 26)
- Re: suggestions on a good firewall Jason Dixon (May 28)
- Re[2]: suggestions on a good firewall Malte von dem Hagen (May 28)
- Re: Re[2]: suggestions on a good firewall Jason Dixon (May 29)
- Re: suggestions on a good firewall Danny (May 26)
- RE: suggestions on a good firewall Dan . Hemphill (May 21)