Re: Firewall licensing purpose, methods, and techniques

[Don Ng <sayhockng () yahoo com>]

 Bruce, in the case of CyberGuard firewalls, by
default all of them come with unlimited licences.
However for the entry level FS Firestar,9 interfaces
10/100, 200MB throughput, there is the option to have
limited licences 25, 50 et al.

 Their method of counting users is different from that
of CheckPoint. The firewall will not do a ping and
count all the replies coming from all hosts that
respond, under Checkpoint they would count printers as
users from what I gather. 

 The firewall will keep track of internal nodes that
are going out to the external interface <Internet>.
A email server ==PC user browsing the web==01 user.

Unless your printer access the Internet, else it would
not count.

 Now what about DMZs, the CyberGuard firewall do not
keep track of users from internal to DMZs, so there is
no restrictions on the number of users accessing other
internal networks.

 With a 50 user licence, the firewall will keep track
of the first 50 ips that access the Internet from
Internal networks, the 51st IP that tries to access
will be blocked. All of them are still protected,
regardless.

 The IP list will reset on reboot of the firewall.

Don Ng

PS: I work for www.quantiqint.com which distributes
CyberGuard Firewalls in the Asia Pac region. Just to
let you all know.




--- Bruce Platt <Bruce () ei3corp com> wrote:
> I am curious about how firewall vendors license
> their products and enforce
> them.
>
> Most vendors sell licenses with descriptive phrases
> like 25 users, 25-100
> users, unlimited users, and so forth to describe
> their license tiers.  They
> have a right to collect money for the use of their
> intellectual property.
>
> When queried, most are vague at best as to what a
> "user" mean, and answer
> with nodes protected by the firewall.  But does a
> "user" mean someone who
> uses a desktop PC to web browse using the http
> proxy, or does a "user" mean
> a mail server protected by the firewall and using
> the smtp proxy, or does a
> "user" mean a networked printer on the protected
> network which will never
> touch the firewall?  I have had one vendor tell me
> that a user is any device
> with an IP stack.  
>
> How do vendors count users?  In pre windows days one
> could use a ping to the
> network broadcast address to count replying unix
> boxes.  Today one could use
> the nmap code that does a "nmap -sP -PT0
> network-address" to count
> responding machines.  But what network address to
> use, the network address
> on which the fw protected network exists?  What
> about other networks that
> might also be behind the firewall?
>
> That same vendor referred to above also allowed that
> they do not count.
> They trust the purchaser.
>
> Who counts today and how?  I am interested because
> we provide services using
> PVCs over frame connections, and it's time to get a
> new firewall.
>
> Regards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards


__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards