Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Other Firewall-Appliances than SonicWall / Watchguard?

From: "Volker Tanger" <volker.tanger () discon de>
Date: Wed, 17 Oct 2001 16:34:30 +0200
Greetings!

Usually working with CKP or Raptor we are now looking for a cheap (price
for unlimited IP less than 30% of unlimited CKP) no-nonsense FW
appliance. We tested some with varying degrees of failure (see below).
We need:
    - minimum 3 (three) interfaces/networks, routed
    - rules and NAT (static and hide) into all directions (WWW, LAN,
DMZ)
    - full logging
    - content filter (MIME types, URL keywords)
    - User authentication (simple login/pw is sufficient) for services
(esp. HTTP)
    - named network objects and grouping are a bonus
    - VPN as client and server (builtin or option)

After having a look at SonicWall / Watchguard / Linux2.4 and others I am
slowly becoming desperate looking for other options. Any suggestions are
welcome.

Here my results on the tests so far...

SonicWall
    + admin via Web browser - any OS, no additional software
installation
    - DMZ cannot be set up as separated network (always part of external
network).
    - Logging too sparse, acconting won't work (okay, maybe via
statistics)
    - no named network objects, no grouping
    - automatic rule priority setting

WatchGuard
    + Content Filter (prevents many viruses)
    + SMTP header masquerading/filtering
    + HostView - graphical representation of current connections
    + good MIME type/extension/categories content filter
    - NAT crippled: only static ARP from WWW->LAN, hide LAN->WWW
    - basic rulenbase not transparent (hidden behind icons, nested menus
and implicit priority rules)
    -/+ auto-blocking feature - but no protection against killing
oneself  (with forged Src IP)
    - log viewer forgets search/filter at each update so debugging
connections is a real pain
    - no named network objects, no grouping
    - automatic rule priority setting

Linux Netfilter 2.4
    + simple, fast
    + full routing and NAT
    - hard to teach, no "professional" (idiot-proof & colourful) GUI
    - no content-checking
    - no named network objects, no grouping  (well, scripts can do a lot
here)

Pyramid Ben Hur
    - NOT A FIREWALL

CheckPoint appliances (Nokia, Pyramid Charlie)
    - TOO EXPENSIVE (as they still need the CKP unlimited license)

NetScreen
    * I'll test that in a few weeks

Thanks
    Volker

--

Volker Tanger  <volker.tanger () discon de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: