Re: [fw-wiz] Multiple firewalls from different manufactureres

From: Keith A. Glass (salgak_at_speakeasy.net)
Date: 01/28/05

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Multiple firewalls from different manufactureres" 
    To: "Eugene Kuznetsov" <eugene@datapower.com>, "'Keith A. Glass'" <salgak@speakeasy.net>, "'Joseph S D Yao'" <jsdy@center.osis.gov>, "'Marcus J. Ranum'" <mjr@ranum.com>
Date: Fri, 28 Jan 2005 21:45:25 +0000

    > -----Original Message-----
    > From: Eugene Kuznetsov [mailto:eugene@datapower.com]
    > Sent: Friday, January 28, 2005 07:35 PM
    > To: ''Keith A. Glass'', ''Joseph S D Yao'', ''Marcus J. Ranum''
    > Cc: firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] Multiple firewalls from different manufactureres
    >
    > > Of Keith A. Glass
    >
    > > Yes and no. You CAN put up a decent firewalling solution
    > > using commodity computers, especially the 1-U units (Dell
    > > 1700-series, HP Proliant DL360s, etc. . ) and either Linux,
    > > Solaris (now that it's free) or some flavor of BSD, and the
    > > firewall of your choice. I just wish some of the vendors
    > > would allow their FW solution to be available outside the
    > > "appliance" vehicle (Yes, I'm talking about Symantec and
    > > Secure Computing. . .)
    >
    > Hmm, this is pretty interesting, because it's contrary to what I hear
    > elsewhere. Could you talk about why you would rather get software instead of
    > a sealed appliance -- ignoring, for the time being, the cases where the
    > appliance includes hardware acceleration for some aspects of security
    > processing. Is it perceived cost? Desire to reuse old hardware? Even for
    > Checkpoint, over 50% of the business is appliance-based, maybe more now.

    Yes. I would. I do not trust that which I have PERSONALLY not secured for a firewall. Things like, for instance, removing entirely suspect or known dangerous applications. . . like removing Sendmail from Solaris entirely, as opposed to just disabling S87Sendmail, etc. Not having to be beholden to s single source for parts or OS patches. Yes, a "SecureOS" is nice, but I'm trusting a vendor that it IS secure. . . until someone finds an exploit, and suddenly, because my purchasing department is a bit slow, my support contract has expired and now I can't get patches. The other nice thing about commodity gear for firewalls, is I can configure it MY way, and keep commodity spares handy. . .
     
    > Now, granted, if what you're getting from the vendor is the dreaded "server
    > appliance" -- the same Dell 1U server with RedHat & some custom software
    > preinstalled -- it probably doesn't matter.

    Perhaps. But I'm paranoid about hardware support and supposedly secure OS's.

    Mind you, my IDEAL setup is a firmware-based firewall out in front that blackholes response on unopened ports, or from unauthorized addresses, and then the REAL firewall behind that, possibly with a honeypot hanging off the intermediate network, but that's often cost-prohibitive. Or, in some cases, not authorized. . .

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Multiple firewalls from different manufactureres"