Re: [fw-wiz] Opinion: Worst interface ever.

StefanDorn_at_bankcib.com
Date: 07/05/05

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Opinion: Worst interface ever." 
    To: "Paul D. Robertson" <paul@compuwar.net>
Date: Tue, 5 Jul 2005 09:46:05 -0500

    "Paul D. Robertson" <paul@compuwar.net> wrote on 07-05-2005 09:16:07 AM:

    > But what counts as specific? Is a port more or less specific than an
    > address? Is a protocol less specific than a user? If they do an ASIC
    > rev, is my happy little ruleset going to do something different if I
    have
    > to replace a box?

    A rule allowing connections from a specified IP over a specified port to a
    specified IP and port will be considered overall more specific than
    something allowing any IP to connect to a certain IP and port. As far as
    protocol, I assume they aren't being included in the equation; for users,
    two rules that are the same, but one specifying certain users should take
    priority over the more general one, for those users. Basically, it seems
    like anything that could be considered 'more specific' will add weight to
    a rules' being processed ahead of another rule. They really just need
    something added into the management UI that considers your rules, weighs
    them in, and ranks them with the same logic as the firebox is using on
    them.

     
    > I think their marketing department needs smacked. I didn't even start
    to
    > go on about having three interfaces in the box I can't use unless I pay
    > more money.

    I was saddened when I found out that three of the ports are just for show
    until I shell out more cash. When I purchase a piece of hardware, I expect
    to be able to use the features that are available on it. If I need an
    upgrade, I expect to buy an expansion card, or a new unit. Since the
    Fireware Pro package allows for multiple WAN connections and fail-over
    options, the interface upgrade cost is just another item that will hold me
    back on upgrading to Fireware.

    > I'm glad I'm not the only one left with that impression. I'm going to
    go
    > back over my personal evaluation criteria and tweak the support parts to
    > match what I see as good. I also think that I'm going to go back to
    > building more open source based firewalls- the idea behind a commercial
    > product is support and consistency. I'm not seeing good things in
    either
    > department.

    In all fairness, I think WatchGuard is trying pretty hard to create a good
    product. The WFS series of management software seems oriented towards
    people just starting to get involved with enterprise grade firewall
    administration, and in the grand scheme of things is pretty easy to get up
    and running, albeit only modestly secure if the admin doesn't know what
    they are doing. (But that's user error, not really WatchGuard's fault.)
    With the Fireware Pro line, they definitely are attempting to create a
    package geared towards more expert users. I can appreciate that, but I
    think I'm going to let it mature a while longer before I consider using it
    in a production environment.

    Stefan
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Opinion: Worst interface ever."