Security Basics mailing list archives

RE: suggestions on a good firewall

From: "Jordan Jesse - Toronto-MROC" <jjordan () mroc com>
Date: Thu, 22 May 2003 13:03:15 -0400

I don't group toys like the Linksys, DLINK and others into the category
of true firewalls.  While they do supply some measure of firewall
security, in this day and age, a good firewall is going to do a lot more
than simple packet filtering.  A really good firewall should operate at
the upper layers of the OSI model and provide for true stateful
inspection of packets.  Both hardware and software firewalls are capable
of this.


FYI - Linksys Firewall/Router combo's do perform stateful packet inspection and most have NAT and VPN capabilities. 
While you are correct that they could not compete with firewall's on the level of Cisco PIX, Raptor or Checkpoint, I do 
believe they are a very affordable and reliable means of protecting a small LAN.

Jesse

-----Original Message-----
From: Jim Barrett [mailto:jimb () ins com]
Sent: Wednesday, May 21, 2003 12:43 PM
To: Dan.Hemphill () warehouse com; jeffr76 () yahoo com;
security-basics () securityfocus com; bloodk () prodigy net mx
Subject: RE: suggestions on a good firewall


Not to wade into this on one side or the other, but the basic argument
for a hardware based firewall such as the Cisco PIX, the Sonicwall, the
old Lucent Brick, etc., is that in such a firewall, the OS is designed
specifically to support firewall functions and nothing else.  In
addition, hardware firewalls generally have Application Specific
Integrated Circuits (ASICS) that perform the firewall functions much
faster than a general purpose X86 or AMD processor.

Software firewalls such as those that run on Linux, Microsoft's ISA
server, Checkpoint's Firewall-1, Raptor, etc. run on top of general
purpose OSes that are designed to do more than just firewall functions.
While it is possible to really lock down a general purpose OS to support
the firewall, it requires considerably more knowledge to do it properly.
Add to this the fact that most software firewalls don't have the ASIC
support, thus they are not as fast for higher volume usage.

I don't group toys like the Linksys, DLINK and others into the category
of true firewalls.  While they do supply some measure of firewall
security, in this day and age, a good firewall is going to do a lot more
than simple packet filtering.  A really good firewall should operate at
the upper layers of the OSI model and provide for true stateful
inspection of packets.  Both hardware and software firewalls are capable
of this.

A good firewall should also provide a means for secure VPNing.  The
commercial products such as Cisco, Sonicwall, Raptor, and Checkpoint all
do this.  I'm sure that you can get similar functionality from some of
the Linux based products, though you probably need to be choosy.  On the
other hand, Open SSH might be all you really need.

Bottom line - if you really know what you are doing from a security
perspective and do not need the absolute utmost in throughput, a
software only firewall may be a good choice - especially Linux ones that
don't come with a large OS price tag attached.  On the other hand, if
you are not a true expert or need very intensive throughput, you are
probably better off going with a hardware based firewall if you have the
cash.


Jim Barrett, MCSE, CISSA, CISSP, CCNP
Principal Consultant
International Network Services
Boston, MA
(617) 319-3090

-----Original Message-----
From: Dan.Hemphill () warehouse com [mailto:Dan.Hemphill () warehouse com] 
Sent: Wednesday, May 21, 2003 11:45 AM
To: jeffr76 () yahoo com; security-basics () securityfocus com;
bloodk () prodigy net mx
Subject: RE: suggestions on a good firewall

What the people ragging on Linux firewalls don't realize is that it is
indeed a hardware firewall, as it runs on its own dedicated hardware.
If
you were to buy a Linksys, Netgear, or even something more expensive
like
Cisco, those are hardware firewalls too, but they STILL run an embedded
operating system.  A software firewall is a piece of software that runs
on
the host it's trying to protect, such as Zone Alarm, for example.

I look forward to hearing the reasons (read: factual evidence) that
state
why a Linux firewall such as Smoothwall or Astaro are a bad idea(tm).

-Dan

-----Original Message-----
From: Jeff [mailto:jeffr76 () yahoo com]
Sent: Tuesday, May 20, 2003 12:36 PM
To: security-basics () securityfocus com; Ing Bernardo Lopez
Subject: Re: suggestions on a good firewall


ok I'll bite
Why is Linux or the others in this thread a bad idea as a firewall. I
see
you would recommend a hardware firewall. does this mean like a linksys
or
netgear or raptor or one of those type of LINUX based firewall systems.
I have deployed Linux,Cisco, and raptors based firewall and the
difference I
have see is support and cost.
Linux being the less cost and Cisco being the most.
if it was my network and I was making the security policy I would chose
Linux or raptor Cisco is just too much money for a personal or small
company
network.
just my .02
Jeff
----- Original Message ----- 
From: "Ing Bernardo Lopez" <bloodk () prodigy net mx>
To: <security-basics () securityfocus com>
Sent: Monday, May 19, 2003 4:49 PM
Subject: Re: suggestions on a good firewall

Yea, linux as a firewall is poor than microsoft, bether use OpenBSD or

buy
a

hardware firewall... dont be a poor freak guy...

On Saturday 17 May 2003 12:07, kerberus wrote:

Please get a real Firewall use OpenBSD and PF

On Fri, 2003-05-16 at 14:50, Tom Sevy wrote:

I 2nd ipcop as a suggestion...

-----Original Message-----
From: Mike Moore [mailto:mike () moorecomputing net]
Sent: Thursday, May 15, 2003 7:14 PM
To: security-basics () securityfocus com
Subject: RE: suggestions on a good firewall

Or even better www.ipcop.org . A lot better support and no abuse.

-----Original Message-----
From: Dan Tesch [mailto:dantel () rb-group com]
Sent: Wednesday, May 14, 2003 1:37 PM
To: Beaney, Derek; security-basics () securityfocus com
Subject: Re: suggestions on a good firewall


Try www.smoothwall.org

Beaney, Derek wrote:

im planning on making a firewall for my home system.. I am

running

windowsXP / SuSE 8.1 dual boot  what I want to do is set up

another

computer to act as a firewall for my main system. what I


want this to

do is to be able to control what enters and leaves my system

with
a

way to set up permissions. preferably I would like to have a


firewall

running on either a Linux or Unix os ... no m$ =) tia


--------------------------------------------------------------
-------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +,
Check Point,
Hacking & Assessment, Cisco Security, Wireless Security &
more! Register Now! --UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
--------------------------------------------------------------
--------------

------------------------------------------------------------------------
-

-- Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check

Point,

Hacking & Assessment, Cisco Security, Wireless Security & more!

Register

Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics

------------------------------------------------------------------------
-

---

------------------------------------------------------------------------
-

-- Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check

Point,

Hacking & Assessment, Cisco Security, Wireless Security & more!

Register

Now! --UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics

------------------------------------------------------------------------
-

---

------------------------------------------------------------------------
--
-

Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check

Point,

Hacking & Assessment, Cisco Security, Wireless Security & more!

Register

Now! --UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics

------------------------------------------------------------------------
--
-

------------------------------------------------------------------------
--
-

Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check

Point,

Hacking & Assessment, Cisco Security, Wireless Security & more!

Register
Now!

--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics

------------------------------------------------------------------------
--
--


------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check
Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check
Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register
Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point,
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities--
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------

Current thread:

RE: suggestions on a good firewall, (continued)
- RE: suggestions on a good firewall Mike Heitz (May 22)
- RE: suggestions on a good firewall Potter, Tim (May 22)
- RE: suggestions on a good firewall Christopher Harrington (May 22)
- RE: suggestions on a good firewall Mann, Bobby (May 23)
- RE: suggestions on a good firewall David Ellis (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall wjnorth (May 23)
  - RE: suggestions on a good firewall dave (May 26)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Chris Berry (May 23)
- RE: suggestions on a good firewall Jordan Jesse - Toronto-MROC (May 23)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Dana Rawson (May 23)
  - Re: suggestions on a good firewall Danny (May 26)
    - Re: suggestions on a good firewall Jason Dixon (May 28)
    - Re[2]: suggestions on a good firewall Malte von dem Hagen (May 28)
    - Re: Re[2]: suggestions on a good firewall Jason Dixon (May 29)
  - RE: suggestions on a good firewall dave (May 26)
  - RE: suggestions on a good firewall Daniel Cid (May 26)
  - RE: suggestions on a good firewall Trevor (May 26)
- RE: suggestions on a good firewall dave (May 23)

(Thread continues...)