Re: [fw-wiz] Free Firewalls? Thoughts...

From: Mark Gumennik (mgumennik_at_mitre.org)
Date: 05/09/03

  • Next message: Stewart, John: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"
    To: Javier Sanchez <jsanchez@myalert.com>
    Date: Fri, 09 May 2003 10:40:21 -0400
    

    Javier,
    It seems to me that the halted mode operation is not much different from
    running some Linux kernel-based firewalls that you can run from a
    floppy, but the idea is very cool.
    As far as Guntlet to Checkpoint:
    I don't have a recepie, just a suggestion. Last time I've seen Guntlet 2
    years ago, before Secure bought it. The idea was brilliant: a
    combination of app proxy and a packet filter (I don't know how much of
    that is in the new G2). So when you "migrate" the rulesets you have to
    migrate "apples to apples". I have seen a case where a rulset from a
    proxy FW was translated to a packet filter FW: about 20 rulsets from a
    proxy tranlated to about 600 ACLs on a packet filter. So, what I am
    trying to say is that it may be easier to write new policies, unless
    somebody gives you a bullet-proof tool for migration.
    Mark

    Javier Sanchez wrote:
    >
    > I found some explanation about the halted mode operation, cool ....
    >
    > http://www.samag.com/documents/s=1824/sam0201d/0201d.htm
    >
    > Does anyone know any tool/application to migrate a gauntlet ruleset to
    > checkpoint fw1 ?
    >
    > Javier Sanchez Llera
    > Buongiorno - MyAlert
    > jsanchez@myalert.com
    >
    > On Thu, 2003-05-08 at 19:20, Ted Behling wrote:
    > > At 02:23 AM 5/8/2003, Sean Barraclough wrote:
    > > >What are the thoughts on some of the "free" firewalls available. Such
    > > >firewalls as Darren Reeds IPF, or the OpenBSD PF? and the Linux offerings?
    > > >
    > > >Performance?
    > > >Security?
    > > >Fancy tricks?
    > > >
    > > >Just interested as to the thoughts out in the community.
    > >
    > > I've used Linux firewalls since kernel 2.0, with IPChains and now
    > > IPTables. Their security is most heavily affected by the applications run
    > > on the firewall. Best practice is to run nothing on the firewall itself,
    > > use an external logging server, and run the OS off read-only media such as
    > > CD-R (perhaps with a floppy for config files). Some people run a Linux
    > > firewall in "halted mode," where the kernel is stopped but the network
    > > interfaces are still up. Theoretically, this allows the kernel to filter
    > > packets, but it would be unable to execute any new code if it were somehow
    > > exploited. As to performance, I've gotten several megabits per second
    > > through a Pentium Pro machine with desktop-grade NICs. I've never really
    > > benchmarked them, though, since the Internet pipes I deal with are
    > > relatively small (<= T1).
    > >
    > > Ted Behling, Chief Penguin Surgeon
    > > Monarch Information Systems, Inc.
    > > tbehling@monarchis.net
    > >
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Stewart, John: "RE: [fw-wiz] Rationale for BSD (I)PF rule order?"