RE: suggestions on a good firewall
From: Christopher Harrington (charrington_at_syseng.com)
Date: 05/25/03
- Previous message: yannick'san: "Evaluating the security level of a firewall"
- Maybe in reply to: Beaney, Derek: "suggestions on a good firewall"
- Next in thread: Chris Berry: "RE: suggestions on a good firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 May 2003 22:51:13 -0400 To: "David Ellis" <David.Ellis@unicam.com>, <security-basics@securityfocus.com>
Ok...I agree that they 2 are different firewalls. Cisco does not do
application level inspection, Checkpoint does for example.
NG fp3 came out fall of 2002 (about ??), about the same time as PIX 6.2.
We are tied :), the PIX has had 2 vulns since version 6.2 came out.
BTW I never said I disliked Checkpoint, to the contrary actually. I just
take exceptions to incorrect statements.
--Chris
-----Original Message-----
From: David Ellis [mailto:David.Ellis@unicam.com]
Sent: Saturday, May 24, 2003 8:53 PM
To: Christopher Harrington; security-basics@securityfocus.com
Subject: RE: suggestions on a good firewall
I am talking about the new version of checkpoint, not 4.1 or 4.0. I am
talking about NGFP3. Checkpoint doesn't even support the earlier
versions anymore. And Cisco's Idea of stateful packet inspection is
actually reverse engineered Checkpoint. Checkpoint developed it and even
have a patent on stateful packet inspection technology. They even tried
to bring Cisco to court for saying they were stateful packet inspection
firewalls but Cisco won due to the way they worded it. Also OPSEC
standards (Open Platform for Security) Is brought to you by Checkpoint
Systems. I love Checkpoint firewalls as you can see. :-)
They also have a secure platform which can load on a system which runs
on a stripped down linux and you can even go with nokia appliance which
comes with Checkpoint NG. I personally think Cisco should stay with
routers and switches (which they are great at).
Then look at the stats after you look up checkpoint NG fp3
# of vulns on PIX ---> 16
# of vulns on Checkpoint ---> 2
Thanks for listening :-)
-----Original Message-----
From: Christopher Harrington [mailto:charrington@syseng.com]
Sent: Friday, May 23, 2003 1:14 PM
To: security-basics@securityfocus.com
Subject: RE: suggestions on a good firewall
Ahhh...maybe you should actually look at bugtraq before you open
yourself up like that.
# of vulns on PIX ---> 16
# of vulns on Checkpoint ---> 30
"A new vulnerability is found every other week"...unfounded comments
like that do not help.
--Chris
-----Original Message-----
From: David Ellis [mailto:David.Ellis@unicam.com]
Sent: Thursday, May 22, 2003 12:34 PM
To: Potter, Tim; security-basics@securityfocus.com
Subject: RE: suggestions on a good firewall
Actually the checkpoint implied rules are not actually hidden. You just
enable and disable through global properties, and I prefer checkpoint
over pix cause just look at the bugtraq record on pix. A new
vulnerability is found every other week
-----Original Message-----
From: Potter, Tim [mailto:Tim.Potter@clarkconsulting.com]
Sent: Wednesday, May 21, 2003 12:07 PM
To: security-basics@securityfocus.com
Subject: RE: suggestions on a good firewall
Actually the PIX does have a "pretty" graphical interface. I'm not fond
of it for many tasks, but the "PDM" can be good for someone newer to
managing a PIX.
Also, for a cheaper hardware-based application firewall I would go with
the Watchguard. My application firewall of choice would be Sidewinder
or Checkpoint, but you can't beat the cost of the Watchguard. Older
versions of the firmware required a reboot for every change, but they
have gotten much better with the newest firmware.
-Tim
-----Original Message-----
From: Mark Ng [mailto:laptopalias1-mark@informationintelligence.net]
Sent: Tuesday, May 20, 2003 11:56 AM
To: salgak@speakeasy.net; security-basics@securityfocus.com
Subject: RE: suggestions on a good firewall
>
> Agreed.
>
> A Windows box, properly locked down, can be a reliable firewall.
There's an element of truth to that - but I'm not sure I'd want to be
the person locking it down or keeping up to date with patches ;). I
also wouldn't recommend Windows unless in an HA pair.
There's also a very strong argument for openbsd and PF too (stability,
proven track record of security) - however, it's not as manageable as
some other solutions.
> Locking it down can be a chore, a much easier chore with Win2003
> server, but still takes some expertise and finesse. I prefer
I've not yet had any experience with 2k3, so I can't possibly comment.
> hardware firewalls with a firmware basis, as they're harder to
> exploit, but many brands have reliability issues. I'm currently
> running Checkpoint and Gauntlet on Solaris, but this is a production
> environment I've inherited.
If you're in the hardware firewall market, I quite like Netscreen and
PIX. Netscreen had some issues with some software upgrades being a bit
buggy some time recently though iirc, but on the whole, they're fairly
solid firewalls that are easy to administer. PIX's of course don't have
the pretty graphical interface, but are solid firewalls. I don't like
Checkpoint, any firewall that comes by default with "Hidden Implied
Rules" doesn't wash with me (is this still the case with newer versions
of Checkpoint ?)
>
> For a good, relatively inexpensive firewall, I'd recommend the
> Linux-Mandrake firewall solution, running on commodity Intel hardware.
> Simple to set up, fairly easy to run, easy to maintain.
Smoothwall definitely has its merits in this arena - and by extension
I'd imagine IPcop does too.
> 2. What can my sysadmin handle ? A Junior MCSE handed a
To be honest, I don't really think an MCSE with small amounts of job
experience should ever be handed main security responsibility. There's
merit to outsourcing security functions in this event if you're too
small to justify full time security staff or experienced systems
administrators with security experience. Any firewall configured badly
is a bad firewall, be it IPcop, Smoothwall, OpenBSD/PF , Checkpoint or
whatever.
Regards,
Mark
------------------------------------------------------------------------
--- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ************************************************************************ ************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************ ************************** ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ------------------------------------------------------------------------ ---- ************************************************************************ ************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************ ************************** --------------------------------------------------------------------------- Thinking About Security Training? You Can't Afford Not To! Vigilar's industry leading curriculum includes: Security +, Check Point, Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now! --UP TO 30% off classes in select cities-- http://www.securityfocus.com/Vigilar-security-basics ----------------------------------------------------------------------------
- Previous message: yannick'san: "Evaluating the security level of a firewall"
- Maybe in reply to: Beaney, Derek: "suggestions on a good firewall"
- Next in thread: Chris Berry: "RE: suggestions on a good firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
