Re: Firewalls purchase research
From: Thomas W Shinder [MVP] (tshinder@hotmail.com)
Date: 03/27/03
- Next message: Thomas W Shinder [MVP]: "Re: Firewalls purchase research"
- Previous message: Sanjeev Dhawan: "Remote file synchronization between 2 VSS"
- In reply to: Fred Baumhardt [MSFT]: "Re: Firewalls purchase research"
- Next in thread: Karl Levinson [x y] mvp: "Re: Firewalls purchase research"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Thomas W Shinder [MVP]" <tshinder@hotmail.com> Date: Wed, 26 Mar 2003 22:39:05 -0600
Hi Fred,
I couldn't have said it better myself :-)
BTW -- whenever you hear someone say "stateful", you can bet there's a
99.99% chance they have no idea what stateful means, or what state is, or
the varieties of "state".
Thanks!
-- Tom www.isaserver.org/shinder Get the books! ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp MVP -- ISA Server 2000 "Fred Baumhardt [MSFT]" <fredbaum@microsoft.com> wrote in message news:eI2k0km8CHA.2284@TK2MSFTNGP12.phx.gbl... > The following is not personal at all or directed at you in any way - but > here goes..... > > I thoroughly disagree with the point that the best firewalls are hardware > based. Hardware firewalls are nothing but a motherboard, on a device running > software. There is not usually a difference (other than the price - high - > and functionality - low). Usually I find in clients they intrinsically trust > a hardware solution because it turns out to be a turnkey solution. Almost > alll major vendors of dual platform devices (appliance, and software for > running on a platform) report the same number of vulnerabilities and > security characteristics on both types. > > I will take my ISA server running layer 7 inspection on a Proliant dual proc > anyday over a "hardware firewall" that is effectively doing little but > packet filtering routing. The ISA solution will give me smart URLScanning, > SMTP, RPC, DNS, HTTP syntax checking, and FTP filters that are intelligent, > as well as integrate into AD without additional cost. A hardware box on a > competitor would cost easily 10 times as much similarly featured (though > some stuff like RPC filtering by UUID are not available yet for them). > > Just look at how hardware platforms distinguish themselves, most solutions > compete on throughput which is not great - not hard to pass 900 mbps if you > are not inspecting anything other than source and destination. Think about > it - if our travel security was as weak as our traditional hardware devices > we would be in serious trouble. Hmmm - Mr Passenger - you are coming from > Paris on the train(source) - going to London (dest) - so you must be OK- no > passport check for you - no baggage check, weapons, drugs, interpol etc. > The traditional device will not even look inside the train - because it > cant. > > Its not until these hardware firewalls learn the difference between TCP 80 > and HTTP that we will be at least a little bit safer from hackers. Software > layer 7 firewalls built on upgradeable - and performant PC platforms will > always have the advantage of agility in responding to application level > attacks in the uncertain internet world. The stuff most basic "stateful" > inspection firewalls allow to pass through has create an entire class of > tuneling, URL, and overflow application attacks which now really take the > web down, while "security professionals" lull the world into another false > sense of confidence because their stateful inspection will protect them, > from attacks that havent been really tried in 5 years :) > > I guess this will start a thread - but thats my 2 pence worth... > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message > news:3e885e06.449107692@msnews.microsoft.com... > > On Mon, 24 Mar 2003 08:50:19 -0800, "Gennadiy" <news@lnyconline.com> > > wrote: > > > > >I am researching what firewall is the best buy to run on > > >Win 2000 server which is configured as a dynamic web > > >server. Any products that someone is using and happy with? > > > > Well, the best firewalls are hardware based, stateful inspection with > > good reporting functions. But the rest of your post elimiates them > > for consdieration... > > > > Jeff > >
- Next message: Thomas W Shinder [MVP]: "Re: Firewalls purchase research"
- Previous message: Sanjeev Dhawan: "Remote file synchronization between 2 VSS"
- In reply to: Fred Baumhardt [MSFT]: "Re: Firewalls purchase research"
- Next in thread: Karl Levinson [x y] mvp: "Re: Firewalls purchase research"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
