RE: client firewall recommendations
From: HOULE, FRANCIS (francis.houle_at_bell.ca)
Date: 10/21/03
- Previous message: Raoul Armfield: "RE: Patching"
- In reply to: Paul Stewart: "Re: client firewall recommendations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Paul Stewart'" <paul@lexnetinc.com>, security-basics@securityfocus.com, "'Dana Rawson'" <absolutezero273c@nzoomail.com> Date: Tue, 21 Oct 2003 10:03:45 -0400
You must also consider performance issues. Like the maximum number of
sessions, throughput, number of user that can be behind it... A linksys
only provide 512 simultaneous sessions. It is fairly easy to kill the
box with a peak of traffic generating a lot of new sessions. Let me
tell you that the cable modem is enough to generate suffisient number of
session to kill a linksys and/or dlink SOHO boxe.
I would recommand either a PIX 501 or Netscreen. PIX has a nice JAVA
GUI if you're not excited in command line. It works fine, altough some
commands are still not supported. Netscreen is also very nice. It has
a Very nice and intuitive WEBUI. It's has all the granularity of a PIX
or checkpoint and even more. A lot of nice features are available and
no major bugs are knows. A good support group and developer are working
very hard to provide a stable and scalable image for the several boxes.
(www.netscreen.com).
Hope it helps you choose the good solution.
-- Francis Houle -----Original Message----- From: Paul Stewart [mailto:paul@lexnetinc.com] Sent: Tuesday, October 07, 2003 4:34 PM To: security-basics@securityfocus.com Subject: Re: client firewall recommendations In-Reply-To: <20031006181739.27534.qmail@sf-www2-symnsj.securityfocus.com> In an outbound only configuration, the main advantage that I can see is stateful packet filtering. When using a simple nat gateway like linksys or dlink, what you have is translations that are set up at connect time. These are tracked on a port by port basis. This happens as well on a pix. However, in addition, the pix tracks the state of the packets and closes the temporary hole as soon as it is safe to do so. Also, the packets are compared to what the Pix thinks its sequence numbers and other attributes of the packet should be. This is not the case on the inexpensive solutions. Another thing to consider is have you installed a pix before. The command line is non-intuitive, if you have not used it before. Newer Pix version have a web interface installed by default, but I never configure them using that method and will therefore not comment on it. >Received: (qmail 4133 invoked from network); 6 Oct 2003 20:28:13 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 6 Oct 2003 20:28:13 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com >[205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 3947EA35FF; Mon, 6 Oct 2003 14:19:40 -0600 (MDT) >Mailing-List: contact security-basics-help@securityfocus.com; run by >ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:security-basics@securityfocus.com> >List-Help: <mailto:security-basics-help@securityfocus.com> >List-Unsubscribe: ><mailto:security-basics-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com> >Delivered-To: mailing list security-basics@securityfocus.com >Delivered-To: moderator for security-basics@securityfocus.com >Received: (qmail 26633 invoked from network); 6 Oct 2003 12:14:00 -0000 >Date: 6 Oct 2003 18:17:39 -0000 >Message-ID: ><20031006181739.27534.qmail@sf-www2-symnsj.securityfocus.com> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Dana Rawson <absolutezero273c@nzoomail.com> >To: security-basics@securityfocus.com >Subject: client firewall recommendations > > > >Please forgive me for asking such a basic question, but I can't seem to >find the answers I'm looking for. > >I have a client installing a cable modem at his business. He called me >up asking if I would bless the installation of a Linksys BEFSX41 >EtherFast firewall at $75 that co-workers recommended, after I >recommended the Cisco PIX 501 at $500+. > >That would be acceptable to me if it were as secure as the PIX 501. >Trouble is I haven't got experience with either product to have a >preference, and I would rather not make a recommendation without having >more knowledge, and possibly be held liable in the future should a >security lapse occur. > >Is one more secure than another? > >Thanks in advance. > >----------------------------------------------------------------------- ---- >----------------------------------------------------------------------- ----- > > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
- Previous message: Raoul Armfield: "RE: Patching"
- In reply to: Paul Stewart: "Re: client firewall recommendations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
