RE: [fw-wiz] Multiple firewalls from different manufactureres
From: Paul D. Robertson (paul_at_compuwar.net)
To: Eugene Kuznetsov <email@example.com> Date: Fri, 28 Jan 2005 15:56:13 -0500 (EST)
On Fri, 28 Jan 2005, Eugene Kuznetsov wrote:
> Hmm, this is pretty interesting, because it's contrary to what I hear
> elsewhere. Could you talk about why you would rather get software instead of
That's because most people make purchasing decisions based on market
"trends"- the IT field is the example of "if everyone else jumped off a
cliff" turning an industry into Lemmings.
> a sealed appliance -- ignoring, for the time being, the cases where the
> appliance includes hardware acceleration for some aspects of security
> processing. Is it perceived cost? Desire to reuse old hardware? Even for
> Checkpoint, over 50% of the business is appliance-based, maybe more now.
1. Lack of vendor lock-in for hardware.
Wait until a NIC fails on your appliance at 8PM Friday before a 3-day
2. Ease of rescaling to meet demand.
Wait until your company buys a whole new division unannounced and plants
them all behind your firewall.
3. Lack of vendor lock-in for software.
Wait until your vendor decides that some newfangled marketing thing is
better for your enterprise than the old solid proxy you evaluated and made
your purchasing decision on.
> Now, granted, if what you're getting from the vendor is the dreaded "server
> appliance" -- the same Dell 1U server with RedHat & some custom software
> preinstalled -- it probably doesn't matter.
It doesn't matter. "Appliances" aren't special. They're still computers,
they still have hardware, software and firmware. Since there's nothing
magic about them, the current trend to get the snazzy looking, but
impossible to upgrade box seems rather silly to me.
As for "performance"- for most companies, the additional "speed" doesn't
matter, as the latency in the middle is going to get you anyway,
decreasing Web access by two tenths of a millisecond through the
firewall's buffer just to have the packet sit in the upstream router's
buffer really isn't all that good. I did a series of tests at one place
of employment to dispel the "proxies suck" myth, and the difference of
hardware acceleration to end-users is often so negligible that you can't
quantify it at normal traffic patterns and loads.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
firewall-wizards mailing list