Re: Firewall recommendations?
From: Bryan S. Sampsel (firstname.lastname@example.org)
Date: Mon, 10 Mar 2003 15:10:18 -0700 From: "Bryan S. Sampsel" <email@example.com> To: firstname.lastname@example.org
I've worked with Netscreen, PIX, Borderware, Linux IPCHAINS, Linux
IPTABLES, Firewall Toolkit, Socks, and Raptor...not to mention the SOHO
products like Netgear.
Of these products, Netscreen blew the most smoke up the customer's butt.
The device was supposed to load balance for our web servers. Turned
out, after cornering Netscreen, that feature wasn't working like
advertised. This was a $10K product. The interface was
counter-intuitive if you've worked with other firewall products.
PIX is a good first layer firewall. I'd use it as the layer just past
Linux IPTABLES (kernel 2.4.x) is good like the PIX. Same use as far as
Firewall toolkit was great in its day. Unfortunately, many of its
proxies are not maintained by TIS since NAI bought TIS. IT was also not
Socks was good. and at one point, free.
Raptor was OK. Decent application proxy firewall...don't remember if it
did stateful packet or not though.
Borderware is based on a hardened BSDi, so it runs on Intel hardware.
This is an amazing product. Efficient, secure, and robust. It also
holds security ratings that none of the others do. This is my first
choice for application proxy protection.
Ideally, you'd layer packet filtering (some non-stateful at the router
and stateful at the PIX or Linux box), and place your application
firewall behind that, protecting your systems on the application layer
from various attacks. Another side benefit of application proxy servers
like Raptor and Borderware is that you can put a bandwidth throttle on
things like streaming audio/video.
Hope this helps,
> I am in charge of researching a firewall to replace what we currently
> have. At my previous job I had used Microsoft ISA in a low-security
> environment, and was happy with its features, and its integration with
> the Windows environment there. However, at my current job, security is a
> much greater concern, and I have to admit,