Re: Firewall comparison

[wolt () igd fhg de]

Hi,

you wrote:

   >...in irrelevant ways and with nonsense data meant to play off of the
   >inexperience of the audience.
   >
   >I mean, really, how else could everyone's firewall be "the best"?
   >
   >How much can you really learn useful things about a commercial
   >firewall like implementing relays in kernels vs. applications,
   >pre-forking relays vs. firing them up on demand, the pros and cons of
   >stateful packet filtering, resistance to various classes of attacks,
   >the ability to cycle through a socket's states, open source code
   >vs. proprietary design, etc.?

I'd say most of the folks on the list will agree with this. The trouble with
most testing scenarios is that they are quick and shallow (running
off-the-shelf scanners against default configurations) or focus in completely
irrelevant aspects. If somebody fails to properly install a program with a
reasonably decent manual, just what sort of security do you expect that person
to provide as a FW admin?

<snip>

   The only mechanisms for comparison when you have selected one of the major
   firewalls (other than broadly through ITSEC or Common Criteria
   Certificates), are price, whether the company that supports you is good
   enough, and who configures, installs and maintains the gateway. When it
   comes down to it, good support is vital.

Now that I can't quite agree with. There *are* differences between the
firewalls on the market from a security perspective, but the biggest
differences are in handling non-standard data types and how the firewalls
react under load. Back when T-1 was king and RTTs were in the triple digit
milliseconds on a good day, throughput really didn't matter. These days it's
not that uncommon to have multi-megabit feeds, and things like QoS are a hot
issue (VoIP etc.). 

We're working on something that will look like a decent test scenario at this
institute (I know, banging my own drum, but it's non-profit anyway), and so
far the response from most vendors contacted was positive. Note that this is
without prior submission of the test battery :) I see this as a hopeful sign
that at least the big FW vendors are reasonably confident of their products
and that we may yet see the end of the snake oil peddlers (usually new or
smaller companies that make some outrageous claims that are reproduced without
comment in trade rags...). Hope to have something to report by the end of the
year. 



-- 
        later,
        Stephen

Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | stephen () wolthusen com
Rundeturmstr. 6                | swolthusen () acm org
64283 Darmstadt, GERMANY       | wolt () igd fhg de
                               | wolt () capcom de
                               | 
Tel +49 (0) 6151 155 539 (Bs.) | Fax: +49 (0) 6151 155 499 (Bs.)
    +49 (0) 172 916 9883       |      +49 (0) 6245 905 366 (Pri.)
    +49 (0) 6245 6952   (Pri.) |