Re: Firewall recommendations?

From: Bryan S. Sampsel (bsampsel@libertyactivist.org)
Date: 03/10/03

  • Next message: Trevor Cushen: "Single Sign On"
    Date: Mon, 10 Mar 2003 15:10:18 -0700
    From: "Bryan S. Sampsel" <bsampsel@libertyactivist.org>
    To: rdusek@myway.com
    
    

    I've worked with Netscreen, PIX, Borderware, Linux IPCHAINS, Linux
    IPTABLES, Firewall Toolkit, Socks, and Raptor...not to mention the SOHO
    products like Netgear.

    Of these products, Netscreen blew the most smoke up the customer's butt.
      The device was supposed to load balance for our web servers. Turned
    out, after cornering Netscreen, that feature wasn't working like
    advertised. This was a $10K product. The interface was
    counter-intuitive if you've worked with other firewall products.

    PIX is a good first layer firewall. I'd use it as the layer just past
    the router.

    Linux IPTABLES (kernel 2.4.x) is good like the PIX. Same use as far as
    I'm concerned.

    Firewall toolkit was great in its day. Unfortunately, many of its
    proxies are not maintained by TIS since NAI bought TIS. IT was also not
    transparent.

    Socks was good. and at one point, free.

    Raptor was OK. Decent application proxy firewall...don't remember if it
    did stateful packet or not though.

    Borderware is based on a hardened BSDi, so it runs on Intel hardware.
    This is an amazing product. Efficient, secure, and robust. It also
    holds security ratings that none of the others do. This is my first
    choice for application proxy protection.

    Ideally, you'd layer packet filtering (some non-stateful at the router
    and stateful at the PIX or Linux box), and place your application
    firewall behind that, protecting your systems on the application layer
    from various attacks. Another side benefit of application proxy servers
    like Raptor and Borderware is that you can put a bandwidth throttle on
    things like streaming audio/video.

    Hope this helps,

    bryan

    rdusek@myway.com wrote:
    >
    > I am in charge of researching a firewall to replace what we currently
    > have. At my previous job I had used Microsoft ISA in a low-security
    > environment, and was happy with its features, and its integration with
    > the Windows environment there. However, at my current job, security is a
    > much greater concern, and I have to admit,
    *snipped*


  • Next message: Trevor Cushen: "Single Sign On"

    Relevant Pages

    • Re: [fw-wiz] PIX firewall licensing and beyond (newbie)
      ... >> I come from a linux admin background and have an assignment to setup a pix ... >> firewall. ... This is new territory and will be my first time playing with pix ... And the other way is to make it so complicated that there are no obvious deficiencies. ...
      (Firewall-Wizards)
    • Re: Opening UDP ports
      ... >Your comment regarding getting a new firewall is not so out of line. ... I don't think you'll have to throw your Linux solution away - just ... Linux with ipchains or iptables, Cisco PIX, or even ACLs on a simple ... Cisco router can all do it. ...
      (comp.security.firewalls)
    • RE: Firewall Costs
      ... Subject: Firewall Costs ... We provide linux based firewalls at roughly $2k per install. ... If we were to offer you a pix solution, you'd get a similar quote from ...
      (Security-Basics)
    • Re: Linux or BSD alternative to Windows Home Server
      ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
      (comp.os.linux.misc)
    • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
      ... as opposed to in Windows. ... this is not a software firewall as in Windows. ... firewalling code in GNU/Linux is actually part of the Linux kernel ... Kubuntu, Xubuntu et al, the first user account created at installation ...
      (comp.os.linux.setup)