Firewall Wizards mailing list archives
Re: Firewall licensing purpose, methods, and techniques
From: Don Ng <sayhockng () yahoo com>
Date: Wed, 26 Sep 2001 21:51:31 -0700 (PDT)
Bruce, in the case of CyberGuard firewalls, by default all of them come with unlimited licences. However for the entry level FS Firestar,9 interfaces 10/100, 200MB throughput, there is the option to have limited licences 25, 50 et al. Their method of counting users is different from that of CheckPoint. The firewall will not do a ping and count all the replies coming from all hosts that respond, under Checkpoint they would count printers as users from what I gather. The firewall will keep track of internal nodes that are going out to the external interface <Internet>. A email server ==PC user browsing the web==01 user. Unless your printer access the Internet, else it would not count. Now what about DMZs, the CyberGuard firewall do not keep track of users from internal to DMZs, so there is no restrictions on the number of users accessing other internal networks. With a 50 user licence, the firewall will keep track of the first 50 ips that access the Internet from Internal networks, the 51st IP that tries to access will be blocked. All of them are still protected, regardless. The IP list will reset on reboot of the firewall. Don Ng PS: I work for www.quantiqint.com which distributes CyberGuard Firewalls in the Asia Pac region. Just to let you all know. --- Bruce Platt <Bruce () ei3corp com> wrote:
I am curious about how firewall vendors license their products and enforce them. Most vendors sell licenses with descriptive phrases like 25 users, 25-100 users, unlimited users, and so forth to describe their license tiers. They have a right to collect money for the use of their intellectual property. When queried, most are vague at best as to what a "user" mean, and answer with nodes protected by the firewall. But does a "user" mean someone who uses a desktop PC to web browse using the http proxy, or does a "user" mean a mail server protected by the firewall and using the smtp proxy, or does a "user" mean a networked printer on the protected network which will never touch the firewall? I have had one vendor tell me that a user is any device with an IP stack. How do vendors count users? In pre windows days one could use a ping to the network broadcast address to count replying unix boxes. Today one could use the nmap code that does a "nmap -sP -PT0 network-address" to count responding machines. But what network address to use, the network address on which the fw protected network exists? What about other networks that might also be behind the firewall? That same vendor referred to above also allowed that they do not count. They trust the purchaser. Who counts today and how? I am interested because we provide services using PVCs over frame connections, and it's time to get a new firewall. Regards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall licensing purpose, methods, and techniques Bruce Platt (Sep 26)
- Re: Firewall licensing purpose, methods, and techniques hesselsp (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques Don Ng (Sep 28)
- <Possible follow-ups>
- Re: Firewall licensing purpose, methods, and techniques Steve R (Sep 28)
- Re: Firewall licensing purpose, methods, and techniques TDyson (Sep 28)