Re: Firewall opinions wanted please

[Rachael Treu <rara () navigo com>]

On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of:
..snip snip.. 
> As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling.  On a 
> small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no 
> proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.
>
> Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess 
> over-head announcements being made from the bridge itself every time it sends a packet through.
>
> The best option I guess is to figure out how important it is for you to have a firewall, 

_Everyone_ (network connected) should have a firewall.  My grandma should 
have a firewall.  Nicole, holding dominion over this business network and 
its critical infrastructure, should _definitely_ have a firewall.  ;)

Curses.  Budget constraints.  Bah.

> what is the reason you need one and how important the data is on your servers.  That will help you decide the best 
> choice for a firewall or proxy application.

See above.  ;)

The importance of the data is often more and issue of calculating things 
like redundancy and storage.  A firewall in this case should likely be 
regarded as non-negotiable.

Be careful with transparent bridging in lieu of stricter edge filtering...
Also consider the efficacy and reward of firewall logs, application layer
filtering, and IDS integration (in a budget-friendly, open source flavor
of free...) down the road.

ymmv,
--ra

-- 
k. rachael treu, CISSP       rara () navigo com
..quis costodiet ipsos custodes?..

> Greg
>
> ---------- Original Message ----------------------------------
> From: Nicole <nmh () daemontech com>
> Date:  Tue, 16 Mar 2004 14:27:16 -0800 (PST)
>
> > Hi
> > I am looking for a good but reasonably priced firewall for a 40 or so server
> > site. Some people swear by Pix, others swear at it a lot. Also I have heard
> > good things about Netscreen. Or any others you would recommend for protecting
> > servers on a busy network. Don't really need anything with VPN just the
> > standard http, ftp, ssh, https, type traffic up to 100mb throughput.
> > From what I have heard a proxy firewall would be best? 
> >
> >
> >
> > Thanks in advance!!
> >
> >
> >  Nicole
> >
> >
> >
> >
> >
> > --
> >                     |\ __ /|   (`\            
> >                     | o_o  |__  ) )           
> >                    //      \\                 
> >  -  nmh () daemontech com  -  Powered by FreeBSD  -
> > ------------------------------------------------------
> > " Daemons" will now be known as "spiritual guides"
> >         -Politically Correct UNIX Page