Firewall licensing purpose, methods, and techniques

[Bruce Platt <Bruce () ei3corp com>]

I am curious about how firewall vendors license their products and enforce
them.

Most vendors sell licenses with descriptive phrases like 25 users, 25-100
users, unlimited users, and so forth to describe their license tiers.  They
have a right to collect money for the use of their intellectual property.

When queried, most are vague at best as to what a "user" mean, and answer
with nodes protected by the firewall.  But does a "user" mean someone who
uses a desktop PC to web browse using the http proxy, or does a "user" mean
a mail server protected by the firewall and using the smtp proxy, or does a
"user" mean a networked printer on the protected network which will never
touch the firewall?  I have had one vendor tell me that a user is any device
with an IP stack.  

How do vendors count users?  In pre windows days one could use a ping to the
network broadcast address to count replying unix boxes.  Today one could use
the nmap code that does a "nmap -sP -PT0 network-address" to count
responding machines.  But what network address to use, the network address
on which the fw protected network exists?  What about other networks that
might also be behind the firewall?

That same vendor referred to above also allowed that they do not count.
They trust the purchaser.

Who counts today and how?  I am interested because we provide services using
PVCs over frame connections, and it's time to get a new firewall.

Regards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards