Re: Hardware Firewall vs Software Firewall

From: Phil Kramer (pkramer@2st.net)
Date: 10/01/01


Message-ID: <019001c14ab2$90103560$0100a8c0@nash1.tn.home.com>
From: "Phil Kramer" <pkramer@2st.net>
To: "Mickey S. Olsberg" <molsberg@hotmail.com>, <security-basics@securityfocus.com>
Subject: Re: Hardware Firewall vs Software Firewall
Date: Mon, 1 Oct 2001 14:52:09 -0500

Mickey,

Your exactly right about that as well.

If you understand the risk, implement and secure to minimize your
vulnerability, then all is good.

What I mean by that is if you've got 1000's of web servers and are using
"faster" non-proxying firewalls, then you need to understand that those web
servers may get exploited in the future, even the proxied ones might. If
these web servers do not contain anything but your public information and
you implement and secure with this in mind then you are limiting your
exposure to the risk. A product like Tripwire could tell you if anything
changed. If you get hacked what's the worse thing that could happen? A
defacement. No credit card numbers, social security names, account numbers,
salaries, customer information, nothing needs to be out there.

In addition, I could still use a more secure firewall between my enterprise
and this service network. Especially if the web servers are coming inside
to gather information to send back outside.

Phil

----- Original Message -----
From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'Phil Kramer'" <pkramer@2st.net>; <security-basics@securityfocus.com>
Sent: Monday, October 01, 2001 2:01 PM
Subject: RE: Hardware Firewall vs Software Firewall

> I agree wholeheartedly with Phil's opinion, but would add one note. The
> only case in my opinion which justifies the speed over security is
> very-high bandwidth applications, such as a certain place I know that
> contains 36,000 nodes behind its firewalls. Still, you must weigh the
> need for security against the need for speed, and security should
> *always* win.
>
> Mickey

----- Original Message -----
From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'Phil Kramer'" <pkramer@2st.net>; <security-basics@securityfocus.com>
Sent: Monday, October 01, 2001 2:01 PM
Subject: RE: Hardware Firewall vs Software Firewall

> I agree wholeheartedly with Phil's opinion, but would add one note. The
> only case in my opinion which justifies the speed over security is
> very-high bandwidth applications, such as a certain place I know that
> contains 36,000 nodes behind its firewalls. Still, you must weigh the
> need for security against the need for speed, and security should
> *always* win.
>
> Mickey
>
> -----Original Message-----
> From: Phil Kramer [mailto:pkramer@2st.net]
> Sent: Friday, September 28, 2001 8:23 PM
> To: security-basics@securityfocus.com
> Subject: Re: Hardware Firewall vs Software Firewall
>
>
> My personal opinion is not hardware vs software, but what firewall is
> most secure. You can talk about PIX, CheckPoint, Linux with IPtables,
> IPchains and IPfilters but from a security point of view a pure
> application proxy is more secure. How many people can notice a 20 ms
> pause? If you want speed get a router with ACLS, that's what PIX is.
> All these stateful inspection/packet filter technolgies work at too low
> a level (layers 2-4) to provide enterprise security. For web servers,
> mail servers etc. you need layer 7 checking.
>
> Phil Kramer, SANS GSEC
> Systems Solutions Technologies, LLC
> Phone: 615-646-5766
> email: pkramer@2st.net
>
>
>



Relevant Pages

  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)
  • RE: Hacked web server
    ... *good thing* that makes computer systems more secure. ... Many computerized systems would be far better off (more secure, ... and maybe even telephones provided the staff receive proper security ... machines with NAT on them being called a firewall. ...
    (Incidents)
  • Re: Wanting To Try FreeBSD: Security Question.
    ... How hard is it to secure FreeBSD for a desktop computer? ... The relatively minimal pf.conf file for the firewall I run on my laptop, ... A firewall is not the end of all your security needs. ...
    (comp.unix.bsd.freebsd.misc)
  • RE: Secure Surfing
    ... Subject: Secure Surfing ... the hardware device is a firewall that drops all ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)