Firewall Wizards mailing list archives
Other Firewall-Appliances than SonicWall / Watchguard?
From: "Volker Tanger" <volker.tanger () discon de>
Date: Wed, 17 Oct 2001 16:34:30 +0200
Greetings! Usually working with CKP or Raptor we are now looking for a cheap (price for unlimited IP less than 30% of unlimited CKP) no-nonsense FW appliance. We tested some with varying degrees of failure (see below). We need: - minimum 3 (three) interfaces/networks, routed - rules and NAT (static and hide) into all directions (WWW, LAN, DMZ) - full logging - content filter (MIME types, URL keywords) - User authentication (simple login/pw is sufficient) for services (esp. HTTP) - named network objects and grouping are a bonus - VPN as client and server (builtin or option) After having a look at SonicWall / Watchguard / Linux2.4 and others I am slowly becoming desperate looking for other options. Any suggestions are welcome. Here my results on the tests so far... SonicWall + admin via Web browser - any OS, no additional software installation - DMZ cannot be set up as separated network (always part of external network). - Logging too sparse, acconting won't work (okay, maybe via statistics) - no named network objects, no grouping - automatic rule priority setting WatchGuard + Content Filter (prevents many viruses) + SMTP header masquerading/filtering + HostView - graphical representation of current connections + good MIME type/extension/categories content filter - NAT crippled: only static ARP from WWW->LAN, hide LAN->WWW - basic rulenbase not transparent (hidden behind icons, nested menus and implicit priority rules) -/+ auto-blocking feature - but no protection against killing oneself (with forged Src IP) - log viewer forgets search/filter at each update so debugging connections is a real pain - no named network objects, no grouping - automatic rule priority setting Linux Netfilter 2.4 + simple, fast + full routing and NAT - hard to teach, no "professional" (idiot-proof & colourful) GUI - no content-checking - no named network objects, no grouping (well, scripts can do a lot here) Pyramid Ben Hur - NOT A FIREWALL CheckPoint appliances (Nokia, Pyramid Charlie) - TOO EXPENSIVE (as they still need the CKP unlimited license) NetScreen * I'll test that in a few weeks Thanks Volker -- Volker Tanger <volker.tanger () discon de> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Other Firewall-Appliances than SonicWall / Watchguard? Volker Tanger (Oct 18)