RE: Firewall Comparisons
From: Keith A. Glass (salgak_at_speakeasy.net)
Date: 07/05/03
- Previous message: Keith A. Glass: "RE: Firewall Comparisons"
- In reply to: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Next in thread: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Reply: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Bryan S. Sampsel'" <bsampsel@sampsel.us>, <security-basics@securityfocus.com> Date: Fri, 4 Jul 2003 18:49:53 -0400
-----Original Message-----
From: Bryan S. Sampsel [mailto:bsampsel@sampsel.us]
Sent: Thursday, July 03, 2003 9:12 PM
To: security-basics@securityfocus.com
Subject: Re: Firewall Comparisons
>Now, let's dispense with the silly myth that firmware based appliances
>are inherently superior. Misconfigurations happen. Bad policies are
>created. And they only protect at the packet layer. They do not
>protect your applications and are not as feature-rich as the application
>firewalls that run on top of a hardened OS.
>Nor are they inferior in and of themselves. Appliances have a place,
>just as the OS based firewalls do. Instead of saying one is better or
>worse, try implementing each in the appropriate place in your security
>stack.
I admit to a predjudice towards firmware-based firewalls, only because the
underlying OS's of an OS-based firewall may or may not be properly hardened.
I speak from VERY recent experience here: I took over the firewalls for a
fairly major section of $Midsize Federal Agency. I have a total of 18
firewalls
to manage, and am upgrading two of my Checkpoints to Checkpoint ClusterXL
systems.
When examining closely on of the two Checkpoints, I noticed the S78sendmail
script
was still in /etc/rc2.d. Since Sendmail is verboten on all but two
specially
designated servers in our net, I examined the box more closely, and found it
to
be a generic Solaris 8 Core package with no hardening whatsoever, not even
services
commented out in /etc/inetd.conf. . .
That CAN'T happen on a firmware-based box, hence my predjudice for them over
OS-based
boxes And since that time, I've closely inspected all the rest of my
firewalls, and
luckily, this was the only one that hadn't been hardened prior to (or after)
FW-1 install. . .
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: Keith A. Glass: "RE: Firewall Comparisons"
- In reply to: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Next in thread: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Reply: Bryan S. Sampsel: "Re: Firewall Comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
