I agree completely about blanket recommendations, which is why I've been
trying to get our sales team to understand they are selling the consulting,
not products. The proper product will become evident through the
consulting.
As for your statement that a network appliance is "too risky", I can't
understand how you arrive at that conclusion. The only difference between
running firewall software on a server and on a network appliance, is the
equipment. A network appliance running FW-1 from CheckPoint is no more or
less secure than FW-1 on an ES-450. If CheckPoint's Firewall-1 is the best
solution for the client, I would likely push for them to run it on a Nokia
box, rather than a server. They might be tempted to run another service on
that server some other day down the road, thus compromising security. A
network appliance approach makes the firewall more clearly a part of the
net, like a router, hub or switch.
If you want to start talking what is secure and not secure, perhaps we can
talk about why a company should bother with a firewall at all? For most of
today's uses, they are pretty much useless and don't offer much more than
what you'd get with a screening router anyway.
As for the historical problems with WatchGuard, I've never heard any of
them. I know nothing of WatchGuard, other than their sales team wants to be
one of our partners and has sent over some evaluation software for me to
check out. If we can actually get a demo for our lab, then I'll evaluate
it. Until then, I know nothing of WatchGuard and only mentioned it because
it was mentioned in the message to which I was responding.
-----Original Message-----
From: Crumrine, Gary L [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 22, 1999 2:12 PM
To: Randall, Mark
Subject: RE: Why not watchguard 2 ? (read on)
I think it a big mistake to recommend anything. What are you, a security
expert, or a salesman? The two cannot be as one in today's marketplace. I
really would not want a network appliance guarding my enterprise. Just too
risky. Nor would I want my company's name at risk when it didn't perform
well, or had to be replaced a year later when they introduce a new
application. No sir, I build relationships with my clients, and I know when
I look them in the eye, I did everything I could do to secure their assets.
I wouldn't feel that way knowing watchguard was my choice. My goodness man,
this is the same company who released a product that was so bad it wouldn't
run when you had more than 10 users on it concurrently, it needed to be
rebooted at least 10 times a day. The inside word was that they new it was
garbage and released it anyway because of pressure from their investors.
They put many an enterprise at risk because of their actions. It was
criminal.
-----Original Message-----
From: Randall, Mark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 22, 1999 9:54 AM
To: 'Wong Chun Meng'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Why not watchguard 2 ? (read on)
Personally, I'm recommending the firewall appliance type of solution. The
very thread on stripping an OS for firewall use is one of the big reasons.
These appliances are built stripped and that isn't likely to change.
My biggest reason is simply that I don't want to see a client tempted to run
another service on the firewall box. I can just imagine a company that runs
into budget constraints and wants to add network services...they see a
perfectly good server sitting there and it's not doing anything but running
the firewall, right?
Forget the NT vs. UNIX debate. I'm tired of arguing with people that
blindly follow Microsoft and refuse to deal with the technical facts. We
push the idea of a network appliance. Power cable and network connections
with perhaps a power switch on it. ;-)
-----Original Message-----
From: Wong Chun Meng [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 21, 1999 3:37 AM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: Why not watchguard 2 ? (read on)
Seeing as the ongoing debate on "why not NT" is getting repetitive (on some
points IMHO), why not use a blackbox to solve the problems of a
weak/misconfigurating an OS. With a blackbox, you don't have to worry
anymore on the OS (if you trust the strip down Linux OS in watchguard that
is) but just the configuration of the firewall. So now we have the question,
is watchguard 2 any good? Is it on par with Firewall-1 (on a solaris for nix
sake) in terms of the firewall security (regardless of securing solaris ok)?
I was hoping you guys can give me some input on this.
As I see it, some of you guys might argue to have the ability to have some
control over the OS. Why so? Is it really important to have full control of
the firewall OS? I can think of one reason actually, but it's not really a
big issue... so my question again, is it really essential?
TIA for any input. I'm actually presenting this argument to some
vendor/clients. So any comments is deeply appereciated.
Wong.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
