Firewall Wizards mailing list archives
Re: Free Firewalls? Thoughts...
From: Javier Sanchez <jsanchez () myalert com>
Date: 12 May 2003 09:15:56 +0200
On Sat, 2003-05-10 at 01:59, David Lang wrote:
On Fri, 9 May 2003, Mark Gumennik wrote:Javier, It seems to me that the halted mode operation is not much different from running some Linux kernel-based firewalls that you can run from a floppy, but the idea is very cool.the advantage is that even if you are running from a floppy you have a full userspace environment to run programs in, once the machine has halted you don't even have init, the only think that is running is the kernel passing traffic.
this does mean that you don't have any logs from this, but in some cases the security of having _nothing_ running on the firewall will outweigh the loss of security from not having the firewall keep records of things (and most of the floppy based firewall have very little space for logs anyway so it's not much of a loss)
I think that the best solution is to run a cd based fw, and then put the fw in halted mode, ive been thinking on building it on pcs without harddisk and sending all the system logs to a server in internal net. I was thinking on using ulogd have anyone already tried it ???
it does also mean that to change a rule you have to reboot the firewall, but if the ruleset is static this won't happen frequently.
Yes, i have already thought about it but changes are not really frequent and i think that finally will try a load balance solution using 2 lvs in the front end. On the other hand we have the gauntlet fw with tons of proxys created most of then without any doc about the date of creation purposes or source/destination ips, so thats why im asking for a tool :-( I have used gauntlet migration tool that lets you migrate your v5 config to v6, but i was not able to succesfully run the fw after using it.On the boot i can see all the proxys started but the fw gui does not show any rule nor proxy created .. so thats not an option at this point ;-) And im nearlly sure that its almost impossible to get a tool to migrate a gauntlet ruleset to a filter based fw but i wont loose any hope :-) Javier Sanchez Llera Buongiorno - Myalert jsanchez () myalert com
David LangAs far as Guntlet to Checkpoint: I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2 years ago, before Secure bought it. The idea was brilliant: a combination of app proxy and a packet filter (I don't know how much of that is in the new G2). So when you "migrate" the rulesets you have to migrate "apples to apples". I have seen a case where a rulset from a proxy FW was translated to a packet filter FW: about 20 rulsets from a proxy tranlated to about 600 ACLs on a packet filter. So, what I am trying to say is that it may be easier to write new policies, unless somebody gives you a bullet-proof tool for migration. Mark Javier Sanchez wrote:I found some explanation about the halted mode operation, cool .... http://www.samag.com/documents/s=1824/sam0201d/0201d.htm Does anyone know any tool/application to migrate a gauntlet ruleset to checkpoint fw1 ? Javier Sanchez Llera Buongiorno - MyAlert jsanchez () myalert com On Thu, 2003-05-08 at 19:20, Ted Behling wrote:At 02:23 AM 5/8/2003, Sean Barraclough wrote:What are the thoughts on some of the "free" firewalls available. Such firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings? Performance? Security? Fancy tricks? Just interested as to the thoughts out in the community.I've used Linux firewalls since kernel 2.0, with IPChains and now IPTables. Their security is most heavily affected by the applications run on the firewall. Best practice is to run nothing on the firewall itself, use an external logging server, and run the OS off read-only media such as CD-R (perhaps with a floppy for config files). Some people run a Linux firewall in "halted mode," where the kernel is stopped but the network interfaces are still up. Theoretically, this allows the kernel to filter packets, but it would be unable to execute any new code if it were somehow exploited. As to performance, I've gotten several megabits per second through a Pentium Pro machine with desktop-grade NICs. I've never really benchmarked them, though, since the Internet pipes I deal with are relatively small (<= T1). Ted Behling, Chief Penguin Surgeon Monarch Information Systems, Inc. tbehling () monarchis net _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall performance testing (Was: Re: Evaluating Firewall), (continued)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Mikael Olsson (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Carson Gaspar (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
- Free Firewalls? Thoughts... Sean Barraclough (May 08)
- Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
- Re: Free Firewalls? Thoughts... Ted Behling (May 08)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
- Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
- Re: Free Firewalls? Thoughts... David Lang (May 09)
- Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)
- RE: Evaluating Firewall Ben Nagy (May 27)