Re: Is Firwall necessay?
- From: Greg Hennessy <me@xxxxxxxxxxx>
- Date: Mon, 29 Jan 2007 20:34:50 +0000
On Mon, 29 Jan 2007 18:44:51 +0100, Sebastian Gottschalk <seppi@xxxxxxxxx>
Greg Hennessy wrote:
And if you had real experience, you could build any type of firewall on any
OS. And then, if no such stupid "no Unix" constraints are given,
Only someone who has no clue regarding operational risk could make such a
What are you referring to? Calling the constraint stupid? Well, it
Oh puhleeze, peddle the old time religion somewhere else.
And has nothing to do with operational risk, for obvious
With respect, you dont know what the term means. From an operational risk
perspective it is far preferable for an organisation to manage something it
knows how to do properly than to attempt to manage something it knows
little or nothing about. The potential risk of loss is a lot smaller.
BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
Don't teach your grandmother how to suck eggs.
Show me a 'free' solution which can dynamically filter soap/xml/rpc *and*
doesn't require command line hackery to manage.
This "command line hackery" as you call it is exactly why you can utilize a
wide variety of management tools, including graphical ones.
You haven't answered the question.
Show me the free out of the box pf/ipfw/netfilter solution which can filter
soap, xml & rpc. Pointing to an unsupportable netfilter hack someone has
posted on sourceforge doesnt cut the mustard in an enterprise environment.
Just show me
one "non-free" solution that could compare to the management of large
networks with ShoreWall.
BWAHAHAHA! Oh Jesus wept... Shorewall .... Look do yourself a favour, I'll
give you some hints Cisco Security Manager, Checkpoint Provider-1,
Netscreen Security Manager just to name 3. Your lack of knowledge on the
topic is just too embarrasing for words.
Show me the netfilter/pf solution that can dynamically fixup and sanitise a
huge range of application protocols other than basic FTP.
Well, netfilter. I just looked at the list... weeh, more than 900 helper
modules for netfilter.
You dont comprehend the change management constraints which enterprises
The notion that risk management in any large organsiation would even
contemplate permitting the roll of out netfilter 'helper' modules across a
global network to selectively filter SOAP & RPC is hilarious.
Never mind rolling out hacks which run application layer filtering in
Including one for such nasty stuff like H.323 which
you can find no-where else.
Oh gawd. Open your eyes puhleeze. Crisco, Checkpoint and Netscreen can and
do fixup 323 and other voip protocols.
Again you have demonstrated a lack of real world experience, client
requirements extend far beyond mere L3 packet filtering.
I never claimed anything in this way.
Of course you did, you insisted
"BSD+ipfw/pf or Linux+netfilter would be the best choice, for obvious
without having any idea of what the client requirements were.
But well, as you may understand, most
L7 protocol filtering is done using proxy firewalls.
Again you make authoritiative claims without having a clue of the real
world capabilities of the products in the market place. In the real world,
there are 3 main players, Crisco, Juniper and & Checkpoint. They all
provide L7 filtering in various forms.
The notion that
"*most* L7 protocol filtering is done using proxy firewalls"
is arrant nonsense.
And, depending on your company's policy, you should really consider not
working for clients which demand firewalls on Windows, since it's not worth
Considering that you have singularly failed to quantify that 'risk' in
anything resembling terms other than emoting hearsay, I'll treat your
advice with the due consideration it deserves.
sizeof(Windows_installation_stripped_down) = 300 MB+
sizeof(Linux_from_a_scratch+netfilter) = 1 MB
I rest my case.
ridiculously irrelevant. Show me a 1 meg LFS floppy disk with support for
say OSPF, BGP, sparse PIM which can dynamically route several hundred
market data feeds delivered though trunks running into a Cat 6509.
You really don't understand how much overkill and
complexity a Windows installation provides, and how hard it is to properly
secure it just on its own.
By that reasoning the same fallacious 'point' would apply to Splat Pro or
Windows Server is *not* hard to secure. Whether you choose to believe that
is not my problem.
Those of us who work in the real world have evaluated ISA 2k4/2k6 and found
a lot in there to like.
It usually takes MS about 3 attempts to get something approaching right &
in the case of ISA 2k4/2k6 it's a very capable enterprise grade firewall
ISA is pretty much based on the integration to proprietary Windows
protocols that can't be easily handled by other firewall products or would
require separate hosts (even if virtual).
Oh puhleeze. Enough with the bullshit already, you clearly do *not* know
about the commercial products under discussion.
You dont, it's painfully obvious that your exposure to anything other than
soho solutions to security infrastructure delivery is extremely limited.
"He's raising an unholy army of singing dinosaurs!"
- Prev by Date: Re: Is Firwall necessay?
- Next by Date: Re: MAC filter on server
- Previous by thread: Re: Is Firwall necessay?
- Next by thread: Re: Is Firwall necessay?