Firewall Wizards mailing list archives
Re: Opinion: Worst interface ever.
From: StefanDorn () bankcib com
Date: Tue, 5 Jul 2005 09:46:05 -0500
"Paul D. Robertson" <paul () compuwar net> wrote on 07-05-2005 09:16:07 AM:
But what counts as specific? Is a port more or less specific than an address? Is a protocol less specific than a user? If they do an ASIC rev, is my happy little ruleset going to do something different if I
have
to replace a box?
A rule allowing connections from a specified IP over a specified port to a specified IP and port will be considered overall more specific than something allowing any IP to connect to a certain IP and port. As far as protocol, I assume they aren't being included in the equation; for users, two rules that are the same, but one specifying certain users should take priority over the more general one, for those users. Basically, it seems like anything that could be considered 'more specific' will add weight to a rules' being processed ahead of another rule. They really just need something added into the management UI that considers your rules, weighs them in, and ranks them with the same logic as the firebox is using on them.
I think their marketing department needs smacked. I didn't even start
to
go on about having three interfaces in the box I can't use unless I pay more money.
I was saddened when I found out that three of the ports are just for show until I shell out more cash. When I purchase a piece of hardware, I expect to be able to use the features that are available on it. If I need an upgrade, I expect to buy an expansion card, or a new unit. Since the Fireware Pro package allows for multiple WAN connections and fail-over options, the interface upgrade cost is just another item that will hold me back on upgrading to Fireware.
I'm glad I'm not the only one left with that impression. I'm going to
go
back over my personal evaluation criteria and tweak the support parts to match what I see as good. I also think that I'm going to go back to building more open source based firewalls- the idea behind a commercial product is support and consistency. I'm not seeing good things in
either
department.
In all fairness, I think WatchGuard is trying pretty hard to create a good product. The WFS series of management software seems oriented towards people just starting to get involved with enterprise grade firewall administration, and in the grand scheme of things is pretty easy to get up and running, albeit only modestly secure if the admin doesn't know what they are doing. (But that's user error, not really WatchGuard's fault.) With the Fireware Pro line, they definitely are attempting to create a package geared towards more expert users. I can appreciate that, but I think I'm going to let it mature a while longer before I consider using it in a production environment. Stefan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Opinion: Worst interface ever., (continued)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Darren Reed (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Adam Jones (Jul 05)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 18)
- Re: Opinion: Worst interface ever. sin (Jul 21)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Firewall Log Analysis - Computer vs. Human Adrian Grigorof (Jul 06)
- Re: Firewall Log Analysis - Computer vs. Human Kevin (Jul 06)
- Re: Firewall Log Analysis - Computer vs. Human Devdas Bhagat (Jul 06)
- RE: Firewall Log Analysis - Computer vs. Human Paul Melson (Jul 19)
- RE: Opinion: Worst interface ever. Mark Teicher (Jul 06)