Firewall Wizards mailing list archives
RE: Firewall comparison
From: John McDonald <Johnm () Networkguys com>
Date: Mon, 1 Mar 1999 08:13:44 -0800
The only problem with the firewalls you've mentioned....They cannot detect fragmented packet UDP storms..which is the very first penetration test we attempt to penetrate the firewalls of very recognizable companies. These firewalls need to be configured from scratch and those who are very intent on keeping their secret information secret will rely on more robust firewalls that are incredibly more secure. We have run penetration test on every firewall imaginable over the course of the last five years. Our analysis has lead us to Firewall-1 being the most secure firewall, when properly configured, on a Unix platform. We have been able to easily penetrate almost every firewall in under 24 hours, most in under 20 minutes. Generally due to misconfiguration. Please don not rely on home grown firewalls in a commercial organization unless you posses *extensive* knowledge of security and routing. Otherwise, you may need to look for another job, because being hacked is NOT fun and is NOT and option for repeatable companies. John D. McDonald Phone: 510.713.8880 ext. 306 Fax: 510.713.3456 E-mail: JohnM () NetworkGuys com Web: www.NetworkGuys.com Secure Enterprise Connectivity Managed Security Managed Firewall Anti-Virus-Vandal Firewalls Security Audits VPN Digital Certificates Security Systems 24x7 Network Monitoring/Hacker intrusion -----Original Message----- From: Bennett Todd [mailto:bet () newritz mordor net] Sent: Friday, February 26, 1999 9:44 AM To: Radovan Semancik Cc: ark () eltex ru; firewall-wizards () nfr net Subject: Re: Firewall comparison eSafe Protect Gateway (tm) has scanned this mail for viruses, vandals and suspicious attachments and has found it to be CLEAN. 1999-02-25-13:29:00 Radovan Semancik: > > What info exactly are you interested in? Security? Pereformance? Design and > > technology issues? Implementation features and bugs? > > Design and technology. That's the thing that changes very slowly and has > a major influence on overall security and performance. I've gotta agree on that. These days, the design and technology that seems to me to make the best firewalls for many, perhaps most settings, are a good well-supported Open Source Unix-like OS like Linux or one of the free BSDs, together with a suitable mix of proxies for your needs (e.g. TIS fwtk, smtpd, plugdaemon, rinetd, qmail, squid), all nicely reinforced with some nice packet filtering like ipfw or ipfilter. The technology here isn't a big step from the oldest firewalls, mostly just adding the packet filtering reinforcement, but it's still the best. Packet filtering firewalls like the FW1 and the Pix are nice as somewhat sturdier replacements for screening routers, but for serious protection I'd rather have data streams getting proxied at the top of a nice solid IP stack and regenerated as nice shiny new packets, rather than having dirty packets from the outside passed right through by a filter. -Bennett
Current thread:
- RE: Firewall comparison John McDonald (Mar 01)
- Re: Firewall comparison Bennett Todd (Mar 01)
- Re: Firewall comparison Steve George (Mar 03)
- <Possible follow-ups>
- RE: Firewall comparison ark (Mar 02)
- Re: Firewall comparison Matt Curtin (Mar 03)
- Re: Firewall comparison Christopher Nicholls (Mar 04)
- Re: Firewall comparison wolt (Mar 05)
- Re: Firewall comparison dreamwvr (Mar 05)
- Re: Firewall comparison Christopher Nicholls (Mar 04)