Firewall Wizards mailing list archives
Re: Firewall comparison
From: wolt () igd fhg de
Date: Thu, 4 Mar 1999 17:23:30 +0100
Hi, you wrote: >...in irrelevant ways and with nonsense data meant to play off of the >inexperience of the audience. > >I mean, really, how else could everyone's firewall be "the best"? > >How much can you really learn useful things about a commercial >firewall like implementing relays in kernels vs. applications, >pre-forking relays vs. firing them up on demand, the pros and cons of >stateful packet filtering, resistance to various classes of attacks, >the ability to cycle through a socket's states, open source code >vs. proprietary design, etc.? I'd say most of the folks on the list will agree with this. The trouble with most testing scenarios is that they are quick and shallow (running off-the-shelf scanners against default configurations) or focus in completely irrelevant aspects. If somebody fails to properly install a program with a reasonably decent manual, just what sort of security do you expect that person to provide as a FW admin? <snip> The only mechanisms for comparison when you have selected one of the major firewalls (other than broadly through ITSEC or Common Criteria Certificates), are price, whether the company that supports you is good enough, and who configures, installs and maintains the gateway. When it comes down to it, good support is vital. Now that I can't quite agree with. There *are* differences between the firewalls on the market from a security perspective, but the biggest differences are in handling non-standard data types and how the firewalls react under load. Back when T-1 was king and RTTs were in the triple digit milliseconds on a good day, throughput really didn't matter. These days it's not that uncommon to have multi-megabit feeds, and things like QoS are a hot issue (VoIP etc.). We're working on something that will look like a decent test scenario at this institute (I know, banging my own drum, but it's non-profit anyway), and so far the response from most vendors contacted was positive. Note that this is without prior submission of the test battery :) I see this as a hopeful sign that at least the big FW vendors are reasonably confident of their products and that we may yet see the end of the snake oil peddlers (usually new or smaller companies that make some outrageous claims that are reproduced without comment in trade rags...). Hope to have something to report by the end of the year. -- later, Stephen Fraunhofer-IGD | mailto: Stephen Wolthusen | stephen () wolthusen com Rundeturmstr. 6 | swolthusen () acm org 64283 Darmstadt, GERMANY | wolt () igd fhg de | wolt () capcom de | Tel +49 (0) 6151 155 539 (Bs.) | Fax: +49 (0) 6151 155 499 (Bs.) +49 (0) 172 916 9883 | +49 (0) 6245 905 366 (Pri.) +49 (0) 6245 6952 (Pri.) |
Current thread:
- RE: Firewall comparison John McDonald (Mar 01)
- Re: Firewall comparison Bennett Todd (Mar 01)
- Re: Firewall comparison Steve George (Mar 03)
- <Possible follow-ups>
- RE: Firewall comparison ark (Mar 02)
- Re: Firewall comparison Matt Curtin (Mar 03)
- Re: Firewall comparison Christopher Nicholls (Mar 04)
- Re: Firewall comparison wolt (Mar 05)
- Re: Firewall comparison dreamwvr (Mar 05)
- Re: Firewall comparison Christopher Nicholls (Mar 04)