Re: [fw-wiz] Free Firewalls? Thoughts...

From: Mark Gumennik (mgumennik_at_mitre.org)
Date: 05/09/03

  • Next message: Stewart, John: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
    To: Javier Sanchez <jsanchez@myalert.com>
    Date: Fri, 09 May 2003 10:40:21 -0400
    

    Javier,
    It seems to me that the halted mode operation is not much different from
    running some Linux kernel-based firewalls that you can run from a
    floppy, but the idea is very cool.
    As far as Guntlet to Checkpoint:
    I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2
    years ago, before Secure bought it. The idea was brilliant: a
    combination of app proxy and a packet filter (I don't know how much of
    that is in the new G2). So when you "migrate" the rulesets you have to
    migrate "apples to apples". I have seen a case where a rulset from a
    proxy FW was translated to a packet filter FW: about 20 rulsets from a
    proxy tranlated to about 600 ACLs on a packet filter. So, what I am
    trying to say is that it may be easier to write new policies, unless
    somebody gives you a bullet-proof tool for migration.
    Mark

    Javier Sanchez wrote:
    >
    > I found some explanation about the halted mode operation, cool ....
    >
    > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
    >
    > Does anyone know any tool/application to migrate a gauntlet ruleset to
    > checkpoint fw1 ?
    >
    > Javier Sanchez Llera
    > Buongiorno - MyAlert
    > jsanchez@myalert.com
    >
    > On Thu, 2003-05-08 at 19:20, Ted Behling wrote:
    > > At 02:23 AM 5/8/2003, Sean Barraclough wrote:
    > > >What are the thoughts on some of the "free" firewalls available. Such
    > > >firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings?
    > > >
    > > >Performance?
    > > >Security?
    > > >Fancy tricks?
    > > >
    > > >Just interested as to the thoughts out in the community.
    > >
    > > I've used Linux firewalls since kernel 2.0, with IPChains and now
    > > IPTables. Their security is most heavily affected by the applications run
    > > on the firewall. Best practice is to run nothing on the firewall itself,
    > > use an external logging server, and run the OS off read-only media such as
    > > CD-R (perhaps with a floppy for config files). Some people run a Linux
    > > firewall in "halted mode," where the kernel is stopped but the network
    > > interfaces are still up. Theoretically, this allows the kernel to filter
    > > packets, but it would be unable to execute any new code if it were somehow
    > > exploited. As to performance, I've gotten several megabits per second
    > > through a Pentium Pro machine with desktop-grade NICs. I've never really
    > > benchmarked them, though, since the Internet pipes I deal with are
    > > relatively small (<= T1).
    > >
    > > Ted Behling, Chief Penguin Surgeon
    > > Monarch Information Systems, Inc.
    > > tbehling@monarchis.net
    > >
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Stewart, John: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"

    Relevant Pages

    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: Firewall etc
      ... I look at the log on a FW or personal packet filter to view unsolicited inbound packets that have been blocked and outbound packets being send out due to a solicitation or no solicitation. ... company's firewall offers me better protection and an opportunity to ... I can do the same thing with the Vista packet filter, that is, to create filtering rules for inbound or outbound packets, based on port, protocol, IP or subnet. ... so they can benefit from the higher forms of protections these ...
      (microsoft.public.windows.vista.security)
    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... The NAT router for home usage is not a FW either. ... Many NAT home routers have a packet filter function, ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Free Firewalls? Thoughts...
      ... On Fri, 9 May 2003, Mark Gumennik wrote: ... > It seems to me that the halted mode operation is not much different from ... the security of having _nothing_ running on the firewall will outweigh the ... > combination of app proxy and a packet filter (I don't know how much of ...
      (Firewall-Wizards)