Firewall Wizards mailing list archives
Re: Free Firewalls? Thoughts...
From: David Lang <david.lang () digitalinsight com>
Date: Fri, 9 May 2003 16:59:14 -0700 (PDT)
On Fri, 9 May 2003, Mark Gumennik wrote:
Javier, It seems to me that the halted mode operation is not much different from running some Linux kernel-based firewalls that you can run from a floppy, but the idea is very cool.
the advantage is that even if you are running from a floppy you have a full userspace environment to run programs in, once the machine has halted you don't even have init, the only think that is running is the kernel passing traffic. this does mean that you don't have any logs from this, but in some cases the security of having _nothing_ running on the firewall will outweigh the loss of security from not having the firewall keep records of things (and most of the floppy based firewall have very little space for logs anyway so it's not much of a loss) it does also mean that to change a rule you have to reboot the firewall, but if the ruleset is static this won't happen frequently. David Lang
As far as Guntlet to Checkpoint: I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2 years ago, before Secure bought it. The idea was brilliant: a combination of app proxy and a packet filter (I don't know how much of that is in the new G2). So when you "migrate" the rulesets you have to migrate "apples to apples". I have seen a case where a rulset from a proxy FW was translated to a packet filter FW: about 20 rulsets from a proxy tranlated to about 600 ACLs on a packet filter. So, what I am trying to say is that it may be easier to write new policies, unless somebody gives you a bullet-proof tool for migration. Mark Javier Sanchez wrote:I found some explanation about the halted mode operation, cool .... http://www.samag.com/documents/s=1824/sam0201d/0201d.htm Does anyone know any tool/application to migrate a gauntlet ruleset to checkpoint fw1 ? Javier Sanchez Llera Buongiorno - MyAlert jsanchez () myalert com On Thu, 2003-05-08 at 19:20, Ted Behling wrote:At 02:23 AM 5/8/2003, Sean Barraclough wrote:What are the thoughts on some of the "free" firewalls available. Such firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings? Performance? Security? Fancy tricks? Just interested as to the thoughts out in the community.I've used Linux firewalls since kernel 2.0, with IPChains and now IPTables. Their security is most heavily affected by the applications run on the firewall. Best practice is to run nothing on the firewall itself, use an external logging server, and run the OS off read-only media such as CD-R (perhaps with a floppy for config files). Some people run a Linux firewall in "halted mode," where the kernel is stopped but the network interfaces are still up. Theoretically, this allows the kernel to filter packets, but it would be unable to execute any new code if it were somehow exploited. As to performance, I've gotten several megabits per second through a Pentium Pro machine with desktop-grade NICs. I've never really benchmarked them, though, since the Internet pipes I deal with are relatively small (<= T1). Ted Behling, Chief Penguin Surgeon Monarch Information Systems, Inc. tbehling () monarchis net _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Evaluating Firewall, (continued)
- Re: Evaluating Firewall Jeffery . Gieser (May 05)
- Re: Evaluating Firewall Carson Gaspar (May 06)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Mikael Olsson (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Carson Gaspar (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
- Free Firewalls? Thoughts... Sean Barraclough (May 08)
- Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
- Re: Free Firewalls? Thoughts... Ted Behling (May 08)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
- Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
- Re: Free Firewalls? Thoughts... David Lang (May 09)
- Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)
- Re: Evaluating Firewall Carson Gaspar (May 06)
- Re: Evaluating Firewall Jeffery . Gieser (May 05)
- RE: Evaluating Firewall Ben Nagy (May 27)