Firewall Wizards mailing list archives
Re: Firewalls Compared
From: "Ryan M. Ferris" <rferris () rmfdevelopment com>
Date: Tue, 22 Jun 2004 09:18:24 -0700 (Pacific Daylight Time)
Good comments on reviewing firewalls...However, at this point I am convinced that personal and home network firewalls and desktop anti-viral software for Windows are the most critical components of national if not corporate security. All of the most devastating attacks (worms, viruses, DOS, e-mail attachments, terrorist attacks) of the last 2 - 4 years leverage the mass of unguarded PCs. Traditional concepts of firewalling networks ultimately seemed useless and incomplete to guard against these type of attacks.
I don't know where I would find statistics on how many home or corporate broadband networks have hardware firewalls or personal firewalls. If I had to guess for home users...I would say less than 10% have hardware firewalls and less than 20% employ personal firewalls. Fewer would employ both together Most users I know just ride bareback against a cable modem or DSL which is relatively amazing considering that GIAC trained professionals now are recommending that home users consider both hardware and software firewalls simultaneously. (See something like http://www.giac.org/practical/GSEC/Barbara_Kupiec_GSEC.pdf). Considering the number of intrusions that I see break throught my hardware firewall and get stopped by my personal firewall...I would say this is excellent if not underwhelming advice.
Amazingly, even as a professional I find all the application protection options of Zone Alarm Plus worth some serious study. I can't imagine most home users working their way through the when and how of granting (or not granting) generic host process access to an "open process". Other personal firewalls I have worked with approach the problem with greatly varying interfaces and functionality. Some are really quite disastrous to install or work with or just plain uninformative for the desk top.
There are a few sites around that offer personal firewall reviews and comparisons...but they are cursory in nature. In truth, the personal firewall industry is unstandardized and rapidly evolving - a fascinating state given the probability that home firewalls with soon eclipse corporate firewalls as the most significant component of national computer security.
Ryan M. Ferris rferris () rmfdevelopment com rferris () rmfnetworksecurity com On Mon, 21 Jun 2004, Dave Piscitello wrote:
Paul, good list (I'd love to have your permission to publish it at LOOP.interop.com, with your attribution, of course). I would add:11. What methods does the firewall provide to assist me in asserting my security policy is enforced: specifically, are the log entries generated sufficiently detailed? 12. Perhaps included in your thinking regarding upgrade path, but authentication rather than performance-focused: does the firewall support all present and projected auth methods; if PKI, who's certs? I'd also add related checks if you intend to use an IPsec VPN for remote access - origin of client SW (who wrote it), - availability of non-Windows clients (if appropriate), - reliability/track record of client SW vis-a-vis install across different Win OS and hardware - suitability of client for use with other firewalls (if multi- organizational collaborative/B2B/B2C is something you must satisfy) - client policy administration/enforcement method I know this goes beyond "just a firewall" so if O/T ignore. At 11:47 AM 6/21/2004 -0400, Paul D. Robertson wrote:1. How well do the boxes implement my proposed security policy. 2. Do they pass testing for implementing my security policy. 3. How do the boxes perform implementing my security policy[1.] 4. What is my upgrade path should my performance requirements change? 5. How well can the devices be administered by multiple levels of people if my security policy defines and requires such. 6. Historically, how well has the vendor done. 7. What does it take to make them fall over. If you can't make them fall over, you're not testing hard enough. 8. How intuitive is my security policy when added to the systems. 9. Failover/backup issues (test both.). 10. License issues (how do they handle license failure, and how long does it take to recover.)_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls Compared kashif (Jun 21)
- Re: Firewalls Compared Paul D. Robertson (Jun 21)
- Re: Firewalls Compared Gwendolynn ferch Elydyr (Jun 21)
- Re: Firewalls Compared Dave Piscitello (Jun 21)
- Re: Firewalls Compared Ryan M. Ferris (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 22)
- Re: Firewalls Compared Devdas Bhagat (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 22)
- Re: Firewalls Compared Devdas Bhagat (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 23)
- Re: Firewalls Compared Paul D. Robertson (Jun 21)
- RE: Firewalls Compared Laura Taylor (Jun 26)
- Re: Firewalls Compared ArkanoiD (Jun 28)
- RE: Firewalls Compared Laura Taylor (Jun 28)
- Re: Firewalls Compared Marcus J. Ranum (Jun 28)
- RE: Firewalls Compared Eugene Kuznetsov (Jun 29)