Firewall Wizards mailing list archives

Re: Free Firewalls? Thoughts...

From: David Lang <david.lang () digitalinsight com>
Date: Fri, 9 May 2003 16:59:14 -0700 (PDT)

On Fri, 9 May 2003, Mark Gumennik wrote:

Javier,
It seems to me that the halted mode operation is not much different from
running some Linux kernel-based firewalls that you can run from a
floppy, but the idea is very cool.


the advantage is that even if you are running from a floppy you have a
full userspace environment to run programs in, once the machine has halted
you don't even have init, the only think that is running is the kernel
passing traffic.

this does mean that you don't have any logs from this, but in some cases
the security of having _nothing_ running on the firewall will outweigh the
loss of security from not having the firewall keep records of things (and
most of the floppy based firewall have very little space for logs anyway
so it's not much of a loss)

it does also mean that to change a rule you have to reboot the firewall,
but if the ruleset is static this won't happen frequently.

David Lang

As far as Guntlet to Checkpoint:
I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2
years ago, before Secure bought it. The idea was brilliant: a
combination of app proxy and a packet filter (I don't know how much of
that is in the new G2). So when you "migrate" the rulesets you have to
migrate "apples to apples". I have seen a case where a rulset from a
proxy FW was translated to a packet filter FW: about 20 rulsets from a
proxy tranlated to about 600 ACLs on a packet filter. So, what I am
trying to say is that it may be easier to write new policies, unless
somebody gives you a bullet-proof tool for migration.
Mark


Javier Sanchez wrote:


I found some explanation about the halted mode operation, cool ....

http://www.samag.com/documents/s=1824/sam0201d/0201d.htm

Does anyone know any tool/application to migrate a gauntlet ruleset to
checkpoint fw1 ?

Javier Sanchez Llera
Buongiorno - MyAlert
jsanchez () myalert com

On Thu, 2003-05-08 at 19:20, Ted Behling wrote:

At 02:23 AM 5/8/2003, Sean Barraclough wrote:

What are the thoughts on some of the "free" firewalls available. Such
firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings?

Performance?
Security?
Fancy tricks?

Just interested as to the thoughts out in the community.


I've used Linux firewalls since kernel 2.0, with IPChains and now
IPTables.  Their security is most heavily affected by the applications run
on the firewall.  Best practice is to run nothing on the firewall itself,
use an external logging server, and run the OS off read-only media such as
CD-R (perhaps with a floppy for config files).  Some people run a Linux
firewall in "halted mode," where the kernel is stopped but the network
interfaces are still up.  Theoretically, this allows the kernel to filter
packets, but it would be unable to execute any new code if it were somehow
exploited.  As to performance, I've gotten several megabits per second
through a Pentium Pro machine with desktop-grade NICs.  I've never really
benchmarked them, though, since the Internet pipes I deal with are
relatively small (<= T1).

Ted Behling, Chief Penguin Surgeon
Monarch Information Systems, Inc.
tbehling () monarchis net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Evaluating Firewall, (continued)
- Re: Evaluating Firewall Jeffery . Gieser (May 05)
  - Re: Evaluating Firewall Carson Gaspar (May 06)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Mikael Olsson (May 07)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Carson Gaspar (May 07)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
    - Free Firewalls? Thoughts... Sean Barraclough (May 08)
    - Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
    - Re: Free Firewalls? Thoughts... Ted Behling (May 08)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
    - Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
    - Re: Free Firewalls? Thoughts... David Lang (May 09)
    - Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)
- RE: Evaluating Firewall Ruud Kenbeek (May 27)
  - RE: Evaluating Firewall Ben Nagy (May 27)