Re: Firewall recommendations?

From: Bryan S. Sampsel (
Date: 03/10/03

  • Next message: Trevor Cushen: "Single Sign On"
    Date: Mon, 10 Mar 2003 15:10:18 -0700
    From: "Bryan S. Sampsel" <>

    I've worked with Netscreen, PIX, Borderware, Linux IPCHAINS, Linux
    IPTABLES, Firewall Toolkit, Socks, and Raptor...not to mention the SOHO
    products like Netgear.

    Of these products, Netscreen blew the most smoke up the customer's butt.
      The device was supposed to load balance for our web servers. Turned
    out, after cornering Netscreen, that feature wasn't working like
    advertised. This was a $10K product. The interface was
    counter-intuitive if you've worked with other firewall products.

    PIX is a good first layer firewall. I'd use it as the layer just past
    the router.

    Linux IPTABLES (kernel 2.4.x) is good like the PIX. Same use as far as
    I'm concerned.

    Firewall toolkit was great in its day. Unfortunately, many of its
    proxies are not maintained by TIS since NAI bought TIS. IT was also not

    Socks was good. and at one point, free.

    Raptor was OK. Decent application proxy firewall...don't remember if it
    did stateful packet or not though.

    Borderware is based on a hardened BSDi, so it runs on Intel hardware.
    This is an amazing product. Efficient, secure, and robust. It also
    holds security ratings that none of the others do. This is my first
    choice for application proxy protection.

    Ideally, you'd layer packet filtering (some non-stateful at the router
    and stateful at the PIX or Linux box), and place your application
    firewall behind that, protecting your systems on the application layer
    from various attacks. Another side benefit of application proxy servers
    like Raptor and Borderware is that you can put a bandwidth throttle on
    things like streaming audio/video.

    Hope this helps,

    bryan wrote:
    > I am in charge of researching a firewall to replace what we currently
    > have. At my previous job I had used Microsoft ISA in a low-security
    > environment, and was happy with its features, and its integration with
    > the Windows environment there. However, at my current job, security is a
    > much greater concern, and I have to admit,

  • Next message: Trevor Cushen: "Single Sign On"