Security Basics mailing list archives
RE: suggestions on a good firewall
From: "Christopher Harrington" <charrington () syseng com>
Date: Fri, 23 May 2003 13:13:53 -0400
Ahhh...maybe you should actually look at bugtraq before you open yourself up like that. # of vulns on PIX ---> 16 # of vulns on Checkpoint ---> 30 "A new vulnerability is found every other week"...unfounded comments like that do not help. --Chris -----Original Message----- From: David Ellis [mailto:David.Ellis () unicam com] Sent: Thursday, May 22, 2003 12:34 PM To: Potter, Tim; security-basics () securityfocus com Subject: RE: suggestions on a good firewall Actually the checkpoint implied rules are not actually hidden. You just enable and disable through global properties, and I prefer checkpoint over pix cause just look at the bugtraq record on pix. A new vulnerability is found every other week -----Original Message----- From: Potter, Tim [mailto:Tim.Potter () clarkconsulting com] Sent: Wednesday, May 21, 2003 12:07 PM To: security-basics () securityfocus com Subject: RE: suggestions on a good firewall Actually the PIX does have a "pretty" graphical interface. I'm not fond of it for many tasks, but the "PDM" can be good for someone newer to managing a PIX. Also, for a cheaper hardware-based application firewall I would go with the Watchguard. My application firewall of choice would be Sidewinder or Checkpoint, but you can't beat the cost of the Watchguard. Older versions of the firmware required a reboot for every change, but they have gotten much better with the newest firmware. -Tim -----Original Message----- From: Mark Ng [mailto:laptopalias1-mark () informationintelligence net] Sent: Tuesday, May 20, 2003 11:56 AM To: salgak () speakeasy net; security-basics () securityfocus com Subject: RE: suggestions on a good firewall
Agreed. A Windows box, properly locked down, can be a reliable firewall.
There's an element of truth to that - but I'm not sure I'd want to be the person locking it down or keeping up to date with patches ;). I also wouldn't recommend Windows unless in an HA pair. There's also a very strong argument for openbsd and PF too (stability, proven track record of security) - however, it's not as manageable as some other solutions.
Locking it down can be a chore, a much easier chore with Win2003 server, but still takes some expertise and finesse. I prefer
I've not yet had any experience with 2k3, so I can't possibly comment.
hardware firewalls with a firmware basis, as they're harder to exploit, but many brands have reliability issues. I'm currently running Checkpoint and Gauntlet on Solaris, but this is a production environment I've inherited.
If you're in the hardware firewall market, I quite like Netscreen and PIX. Netscreen had some issues with some software upgrades being a bit buggy some time recently though iirc, but on the whole, they're fairly solid firewalls that are easy to administer. PIX's of course don't have the pretty graphical interface, but are solid firewalls. I don't like Checkpoint, any firewall that comes by default with "Hidden Implied Rules" doesn't wash with me (is this still the case with newer versions of Checkpoint ?)
For a good, relatively inexpensive firewall, I'd recommend the Linux-Mandrake firewall solution, running on commodity Intel hardware.
Simple to set up, fairly easy to run, easy to maintain.
Smoothwall definitely has its merits in this arena - and by extension I'd imagine IPcop does too.
2. What can my sysadmin handle ? A Junior MCSE handed a
To be honest, I don't really think an MCSE with small amounts of job experience should ever be handed main security responsibility. There's merit to outsourcing security functions in this event if you're too small to justify full time security staff or experienced systems administrators with security experience. Any firewall configured badly is a bad firewall, be it IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever. Regards, Mark ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ************************************************************************ ************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************ ************************** ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: suggestions on a good firewall, (continued)
- Re: suggestions on a good firewall salgak (May 23)
- RE: suggestions on a good firewall Dana Rawson (May 23)
- Re: suggestions on a good firewall Danny (May 26)
- Re: suggestions on a good firewall Jason Dixon (May 28)
- Re[2]: suggestions on a good firewall Malte von dem Hagen (May 28)
- Re: Re[2]: suggestions on a good firewall Jason Dixon (May 29)
- Re: suggestions on a good firewall Danny (May 26)
- RE: suggestions on a good firewall dave (May 26)
- RE: suggestions on a good firewall Daniel Cid (May 26)
- RE: suggestions on a good firewall Trevor (May 26)
- RE: suggestions on a good firewall dave (May 23)
- RE: suggestions on a good firewall Christopher Harrington (May 23)
- RE: suggestions on a good firewall Des Ward (May 26)
- RE: Re[4]: suggestions on a good firewall Christopher Harrington (May 26)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall David Moisan (May 27)
- RE: suggestions on a good firewall David Ellis (May 26)
- RE: suggestions on a good firewall Christopher Harrington (May 26)
- Re: RE: suggestions on a good firewall Spencer Hall (May 27)
- RE: suggestions on a good firewall Chris Berry (May 27)
- RE: RE: suggestions on a good firewall DeGennaro, Gregory (May 28)
- RE: suggestions on a good firewall Christopher Harrington (May 28)