RE: Firewall comparison

[John McDonald <Johnm () Networkguys com>]

The only problem with the firewalls you've mentioned....They cannot
detect fragmented packet UDP storms..which is the very first penetration
test we attempt to penetrate the firewalls of very recognizable
companies.

These firewalls need to be configured from scratch and those who are
very intent on keeping their secret information secret will rely on more
robust firewalls that are incredibly more secure. We have run
penetration test on every firewall imaginable over the course of the
last five years. Our analysis has lead us to Firewall-1 being the most
secure firewall, when properly configured, on a Unix platform. We have
been able to easily penetrate almost every firewall in under 24 hours,
most in under 20 minutes. Generally due to misconfiguration.

Please don not rely on home grown firewalls in a commercial organization
unless you posses *extensive* knowledge of security and routing.
Otherwise, you may need to look for another job, because being hacked is
NOT fun and is NOT and option for repeatable companies.



John D. McDonald 

Phone: 510.713.8880 ext. 306 
Fax:      510.713.3456 
E-mail: JohnM () NetworkGuys com
Web:    www.NetworkGuys.com

Secure Enterprise Connectivity
Managed Security        Managed Firewall
Anti-Virus-Vandal       Firewalls
Security Audits VPN
Digital Certificates    Security Systems
24x7 Network Monitoring/Hacker intrusion


                -----Original Message-----
                From:   Bennett Todd [mailto:bet () newritz mordor net]
                Sent:   Friday, February 26, 1999 9:44 AM
                To:     Radovan Semancik
                Cc:     ark () eltex ru; firewall-wizards () nfr net
                Subject:        Re: Firewall comparison

                eSafe Protect Gateway (tm) has scanned this mail for
viruses, vandals and 
                suspicious attachments and has found it to be CLEAN.
                1999-02-25-13:29:00 Radovan Semancik:
                > > What info exactly are you interested in? Security?
Pereformance? Design and
                > > technology issues? Implementation features and bugs?
                > 
                > Design and technology. That's the thing that changes
very slowly and has
                > a major influence on overall security and performance.

                I've gotta agree on that.

                These days, the design and technology that seems to me
to make the best
                firewalls for many, perhaps most settings, are a good
well-supported Open
                Source Unix-like OS like Linux or one of the free BSDs,
together with a
                suitable mix of proxies for your needs (e.g. TIS fwtk,
smtpd, plugdaemon,
                rinetd, qmail, squid), all nicely reinforced with some
nice packet filtering
                like ipfw or ipfilter. The technology here isn't a big
step from the oldest
                firewalls, mostly just adding the packet filtering
reinforcement, but it's
                still the best. Packet filtering firewalls like the FW1
and the Pix are nice
                as somewhat sturdier replacements for screening routers,
but for serious
                protection I'd rather have data streams getting proxied
at the top of a nice
                solid IP stack and regenerated as nice shiny new
packets, rather than having
                dirty packets from the outside passed right through by a
filter.

                -Bennett