[fw-wiz] Re: Proxy and Stateful together ??

From: Jean Caron (caronj@norac.net)
Date: 11/18/02


From: "Jean Caron" <caronj@norac.net>
To: Bennett Todd <bet@rahul.net>
Date: Mon Nov 18 13:33:01 2002

Bennett Todd writes:
<snip>
> While I didn't say so explicitly, I kinda figured that the initial
> question that launched this thread --- hybrid firewall with
> stateful packet filtering and application proxies on one box --- was
> motivated by a small shop, for which a big industrial scale firewall
> plant wasn't justified. It's easy to fling enough hardware at small
> problems to prevent performance from being a problem.
>
> -Bennett
<snip>

You're right, my original post had no mention of org size. It is, however,
for what I qualify to be a large size organization (25,000+ users). As for
the discussion that took place in regards to doing IDS on the firewalls; In
this case, the firewalls do firewalling only (proxy and packet filtering
(stateful or not)), the IDS systems do IDS, the virus/content scanning
systems to their part, and the VPN boxes do VPNs only... all on different
boxes, even different segments.

It's understood that many of the open source solutions are quite good for
small to mid-size shops, labs and personal use, but with such larger
organizations usually they want *support*. Good old, paid for, hotline
support. In my opinion, that usually means you may, at any time of day or
night, talk on the phone to some junior/new guy which *tries* to follow a
list of pre-defined questions only to end up hanging up the line by mistake
trying to transfer your call to the next hop *not-so-new-anymore* guy who's
got a different set of "more advanced" questions. Or better yet, using a
service contract to justify the lack of obligation to monitor the security
scene for everything and anything, but rather rely on the fact that
*someone* will call and suggest that a patch be downloaded and applied for
the bug that was published three weeks before on every good list, but that
no one ever heard of before the phone call. But eh, to each is own, and
that's just my opinion. Not every shop is populated with experienced IT
personal.

In this specific shop, they want the support option.

So the post was for commercially available firewalls.

Thanks for all the replies received on and off list.

Jean



Relevant Pages