RE: [fw-wiz] OT: vendors please respond

From: Robert L. Wanamaker (rlw_at_avantsystems.com)
Date: 09/26/03

  • Next message: Devdas Bhagat: "Re: [fw-wiz] OT: vendors please respond" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 26 Sep 2003 13:28:32 -0400

    But what about Microsoft ISA Server?

    [Sorry, couldn't resist in the context of the @Stake event]

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul
    Robertson
    Sent: Friday, September 26, 2003 11:10 AM
    To: admin security Mehta
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] OT: vendors please respond

    On 26 Sep 2003, admin security Mehta wrote:

    > Greetings all,

    [Vendors can respond directly to the queryant, as can the legeons of
    faithful for $freeware products. I'll entertain interesting threads for

    the community on-list only.]
    >
    > My company is looking for security devices for its network of
    > branches.
    > I posted this mail here because I need experts choice.
    > I was in doubt whether my earlier mail is posted or not so I
    > subscribed for this mailing list to post my query.

    I've seen somewhere north of 65 different commercial firewall products
    up
    at ICSA Labs soaking up power. If there was a single firewall that was
    the firewall of choice, the market wouldn't support more than about 4
    products.

    > We are looking into the following features:
    > -stateful inspection firewall

    Stateful inspection is a trademark, and limits you to two choices. You
    need to start with a security policy and decide which technologies
    support
    the protocols the business needs. Then choose the products that best
    encapsulate those features.

    > - support most used applications( ALGs)

    Most ALGs don't spend their dev time well on state, and most stateful
    firewalls dont' spend their dev time well on ALGs. You're basically
    saying, "I'd like a vehicle capable of running in the GT race series,
    and
    I'd like to have it seat 60 children on their way to school!"

    Trying to pick a single product that does everything is doomed to
    mediocrity at best. You want multiple products. More importantly, you
    want to figure out what protocols you want to use which technologes for
    and *why*.

    You've got a shopping list of firewall buzzwords, and not much else.
    That's a poor way to choose a firewall.

    > - Powerful attack detection engine

    This sounds like buzzworditis from a marketing brochure...

    > - VPN
    > a) IPSec/IKE
    > b) L2TP over IPSec to use WIN XP VPN client
    > c) LDAP,SCEP
    > d) Hub and spoke support

    You really want a VPN solution for VPN stuff if you have requirements to

    support lots of different VPNs. Anything as complex as a VPN that's
    supporting that many protocols is bound to be full of implementation
    issues though, so don't think of it as part of the security
    infrastructure!

    > NOTE: My company prefers Indian based products.

    Throwing geographic criteria on top of a laundry list of product
    criteria
    is likely to doom you to failure.

    Paul
    ------------------------------------------------------------------------
    -----
    Paul D. Robertson "My statements in this message are personal
    opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure
    Corporation

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Devdas Bhagat: "Re: [fw-wiz] OT: vendors please respond"

    Relevant Pages

    • Re: Firewall advice required please
      ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
      ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
      (Firewall-Wizards)
    • Re: Firewall Info/Recommendations?
      ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
      (comp.security.firewalls)
    • Re: SBS 2008 - Firewall Appliance?
      ... Cisco ASA 5510 Appliance Content Security Edition Bundle ... 250 IPsec VPN peers, ... But "firewall services" are simply listed as included. ... If you don't need AV or VPN then this is overkill....and I recommend running client AV on a server that can handle monitoring anyways....not using an edge device as the client AV manager...but that's another conversation. ...
      (microsoft.public.windows.server.sbs)
    • RE: Firewall Hardware Recommendations
      ... I am not trying to one-up, but Watchguard Fireboxes Series (FB 500 to FB ... other security products .. ... Subject: Firewall Hardware Recommendations ... A SonicWall PRO 230 + VPN ...
      (Security-Basics)