Re: Firewall Comparisons
From: Bryan S. Sampsel (bsampsel_at_libertyactivist.org)
Date: 07/07/03
- Previous message: David: "Re: Ten least secure programs"
- In reply to: Keith A. Glass: "RE: Firewall Comparisons"
- Next in thread: chort: "Re: Firewall Comparisons"
- Reply: chort: "Re: Firewall Comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 07 Jul 2003 10:30:52 -0600 To: security-basics@securityfocus.com
(snipped for brevity)
Keith A. Glass wrote:
> -----Original Message-----
<snip>
>
>
> I admit to a predjudice towards firmware-based firewalls, only because the
> underlying OS's of an OS-based firewall may or may not be properly hardened.
<snip>
Likewise, some idiot can (and I've seen this happen) create a wide-open
ACL on a PIX firewall. Doesn't make the box the problem. Means it was
misconfigured and not hardened enough.
>
> When examining closely on of the two Checkpoints, I noticed the S78sendmail
> script
> was still in /etc/rc2.d. Since Sendmail is verboten on all but two
> specially
> designated servers in our net, I examined the box more closely, and found it
> to
> be a generic Solaris 8 Core package with no hardening whatsoever, not even
> services
> commented out in /etc/inetd.conf. . .
>
> That CAN'T happen on a firmware-based box, hence my predjudice for them over
> OS-based
> boxes
<snip>
Granted. This cannot happen when a feature does not exist on a device.
It also means that the product being critiqued is a more flexible
product with a wider range of potential services to offer. And yes,
that can be a two edged sword.
Like the PIX I mentioned above, if misconfigured, it is less than secure.
With both, misconfigurations are the kiss of death. Kinda reminds me of
the old GIGO (garbage in - garbage out) acronym. If the guy building
the rules or specifying which services are available, screws up, your
whole box can be compromised...firmware or not.
IMHO,
bryan
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: David: "Re: Ten least secure programs"
- In reply to: Keith A. Glass: "RE: Firewall Comparisons"
- Next in thread: chort: "Re: Firewall Comparisons"
- Reply: chort: "Re: Firewall Comparisons"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
