Re: [fw-wiz] Free Firewalls? Thoughts...
From: Mark Gumennik (mgumennik_at_mitre.org)
To: Javier Sanchez <firstname.lastname@example.org> Date: Fri, 09 May 2003 10:40:21 -0400
It seems to me that the halted mode operation is not much different from
running some Linux kernel-based firewalls that you can run from a
floppy, but the idea is very cool.
As far as Guntlet to Checkpoint:
I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2
years ago, before Secure bought it. The idea was brilliant: a
combination of app proxy and a packet filter (I don't know how much of
that is in the new G2). So when you "migrate" the rulesets you have to
migrate "apples to apples". I have seen a case where a rulset from a
proxy FW was translated to a packet filter FW: about 20 rulsets from a
proxy tranlated to about 600 ACLs on a packet filter. So, what I am
trying to say is that it may be easier to write new policies, unless
somebody gives you a bullet-proof tool for migration.
Javier Sanchez wrote:
> I found some explanation about the halted mode operation, cool ....
> Does anyone know any tool/application to migrate a gauntlet ruleset to
> checkpoint fw1 ?
> Javier Sanchez Llera
> Buongiorno - MyAlert
> On Thu, 2003-05-08 at 19:20, Ted Behling wrote:
> > At 02:23 AM 5/8/2003, Sean Barraclough wrote:
> > >What are the thoughts on some of the "free" firewalls available. Such
> > >firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings?
> > >
> > >Performance?
> > >Security?
> > >Fancy tricks?
> > >
> > >Just interested as to the thoughts out in the community.
> > I've used Linux firewalls since kernel 2.0, with IPChains and now
> > IPTables. Their security is most heavily affected by the applications run
> > on the firewall. Best practice is to run nothing on the firewall itself,
> > use an external logging server, and run the OS off read-only media such as
> > CD-R (perhaps with a floppy for config files). Some people run a Linux
> > firewall in "halted mode," where the kernel is stopped but the network
> > interfaces are still up. Theoretically, this allows the kernel to filter
> > packets, but it would be unable to execute any new code if it were somehow
> > exploited. As to performance, I've gotten several megabits per second
> > through a Pentium Pro machine with desktop-grade NICs. I've never really
> > benchmarked them, though, since the Internet pipes I deal with are
> > relatively small (<= T1).
> > Ted Behling, Chief Penguin Surgeon
> > Monarch Information Systems, Inc.
> > email@example.com
> > _______________________________________________
> > firewall-wizards mailing list
> > firstname.lastname@example.org
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> firewall-wizards mailing list
firewall-wizards mailing list