Firewall Wizards mailing list archives
Re: SCC buys Gauntlet
From: firewalls () msg net <firewalls () msg net>
Date: Thu, 21 Feb 2002 18:14:14 -0600 (CST)
I just built a new Gauntlet 6.0 firewall on a 280R from two thousand miles away. I did the complete build, from OS installation to firewall software to rule creation, completely remotely, without anybody ever having to physically touch the box from the moment the power, network, and serial cables were connected to a fresh chassis. Took me less than a day. IMHO, there is no way I could ever do this with Sidewinder on PC hardware.
I've been running Sidewinders both locally and remotely since 1996. You'll probably be pleasantly surprised.
I ran Sidewinder firewalls locally at a 200-person enterprise in 2000, and was not very happy with them. Among other issues, there were some administrative work that could only be done on the local console. Also, I found a DoS against the product using ISIC, (A packet-filter testing tool we developed with Mike Frantzen), appeared to be exercising a very old BSD IP stack bug that Secure Computing had not fixed in their code tree. Sure, I've also found DoS against Gauntlet, but both Gauntlet and Sun are usually good about responding to these issues.
I nearly uniformly use Dell rackmount servers, although I've built my own PC hardware in a few cases for customers that had special requirements (token ring, anyone?). In the last two years on the networks I use, we've had three or four Sun disk failures, CPU deaths, and at least one memory problem -- during the same time period the PC hardware hosting my corporate Sidewinders has been solid as a rock.
I've experienced memory, CPU, and power-supply failures on Dell rackmount (in a environmentally controlled air- and power-filtered data center) at a _much_ higher rate than equivalent failures on Sun hardware. Of course, the disk failures could happen on any platform, PC or Sparc, but on every Sun you have built-in support for booting from a mirror drive, and full serial console control from POST on up. Our small team in the corp IT organization runs 10 Dell rackmount servers in the primary Coporate-HQ datacenter, along with a half-dozen Gauntlet systems, another half-dozen (non-firewall) Sparc systems, and remotely maintain many other Gauntlet firewalls around the country on various Sun Sparc hardware. We have a _substantial_ investment in Sun hardware for firewalls, including many E250 and 280R servers. These servers are a particularly good choice for remote firewalls due to the 'Remote System Control' hardware which provides full remote management (including both remote power-down _and_ power-up!). To get even come near these features on PCs, you pay as much as for Sparc. There's no way I could trust Dell (or any PC) hardware to the degree I have confidence in the reliability and maintainability of Sun Sparc. There is little chance that secure Computing can convince me to pull out these mid-range 'multi-CPU multi-gig-memory multi-disk' Sun systems running Gauntlet and replace them with PC hardware running Sidewinder.
I'm continually amazed when people report that Sidewinder isn't sufficiently customizable. I find it vastly easier to work on than Gauntlet
Sidewinder swiftly hits it's limits in how much customization is possible, and is very difficult to extend the functions of the firewall host. What do you do when you need Quad ethernet, etherchannel or gig connectivity?
or FW-1, primarily because it's much closer to UNIX -- i.e. based on text config files which are nearly natural language, rather than proprietary coding languages.
Gauntlet's configuration data in 'netperm-table' isn't close to Unix? Isn't human-readable?
What do you need the systems to do?
I don't trust BIND, I install djb's daemontools and dnscache. I don't trust SMAP (for good reason!) or sendmail. I install QMail. I need to do nightly off-site system backups, I use cron, ufsdump and ssh to push filesystem images to a remote host over a private backchannel network.
I got IPsec running >through< a Sidewinder long before anyone seemed to be able to do that on a Gauntlet.
No comment.
Plus, you get the great advantage of not having to build and maintain the underlying operating system, since it's all bundled
Plus you lose the ability to use the features of the underlying operating system, since it is all bundled and mostly out of your reach. No support for compiling custom binaries or loading new proxy applications beyond what Secure Computing sees fit to give you. If I didn't want to maintain the OS, I'd buy the Gauntlet appliance firewall.
-- and the joy of a mandatory access control operating system, which amongst other things means that you've got built in damage control against exploits and bugs, not to mention a new set of alarms and audits that will go off when evildoers start misbehaving.
And the pain of a MAC operating system which makes it almost impossible to actually use the SecurOS to do anything at the command-line level.
I know my old Gauntlet customers are going to be pretty happy, once they get over the shot. tbird Sidewinder evangelist no, they don't pay me
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SCC buys Gauntlet Frederick M Avolio (Feb 13)
- Re: SCC buys Gauntlet firewalls (Feb 21)
- Re: SCC buys Gauntlet Tina Bird (Feb 21)
- Re: SCC buys Gauntlet firewalls (Feb 22)
- Re: SCC buys Gauntlet ark (Feb 21)
- Re: SCC buys Gauntlet firewalls (Feb 22)
- Re: SCC buys Gauntlet Tina Bird (Feb 21)
- <Possible follow-ups>
- Re: SCC buys Gauntlet Carson Gaspar (Feb 22)
- Re: SCC buys Gauntlet ark (Feb 23)
- Re: SCC buys Gauntlet ark (Feb 22)
- RE: SCC buys Gauntlet Charles Roten (Feb 23)
- RE: SCC buys Gauntlet Woeltje, Donald (Feb 23)
- Re: SCC buys Gauntlet kadokev (Feb 23)
- Re: SCC buys Gauntlet Tracy R Reed (Feb 24)
- Re: SCC buys Gauntlet kadokev (Feb 23)
- RE: SCC buys Gauntlet Roger Marquis (Feb 24)
(Thread continues...)
- Re: SCC buys Gauntlet firewalls (Feb 21)