I looked into firewalls, both network appliances and software based. I
liked the network appliances in that I felt they were easier to maintain
- everything from one vendor (of course if your vendor is
uncooperative...)
There are no OS issues, no need to integrate patches to allow the
firewall software to be loaded, etc.
And I agree, that to whatever extent, the OS on the network appliance
has been stripped, hardened, tuned to support a firewall (and related
security s/w - intrusion detection, VPN, etc)
-----Original Message-----
From: Randall, Mark [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 23, 1999 2:27 PM
To: '[EMAIL PROTECTED]'
Subject: FW: Why not watchguard 2 ? (read on)
I meant to send this to the list as well...
-----Original Message-----
From: Randall, Mark
Sent: Wednesday, June 23, 1999 11:27 AM
To: 'Jen'
Subject: RE: Why not watchguard 2 ? (read on)
I meant my message to be positive to the IDEA of network appliances,
rather
than supportive of WatchGuard in particular. That's why I posted the
second
message to clarify the situation. I'm of the opinion that running the
SAME
firewall software on a server or network appliance, then I would
generally
lean toward a network appliance. The assumption being that the network
appliance type of solution is running a "stripped" or "hardened" kernel
on
hardware that is designed to do a specific job. There is more potential
there for a locked-down, controlled environment than running the same
firewall software on a server.
I've not evaluated enough network appliances to recommend any in
particular
and believe any such device is just a tool. Whether that particular
tool is
appropriate for a particular job is another issue, which is why the
consulting is so important. Current and planned future needs must all
be
considered, as well as maintenance.
-----Original Message-----
From: Jen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 22, 1999 4:02 PM
To: Randall, Mark
Cc: 'Wong Chun Meng'; '[EMAIL PROTECTED]'
Subject: Re: Why not watchguard 2 ? (read on)
I like the idea of appliances, too, but this particular appliance
(WatchGuard) lacks a lot of imporant features.
There are good appliances. We're looking at Nortel's (Bay's) Contivity
Extranet Switches. These devices really blow away Checkpoint for VPN
(which is what we were using previously). They're easy to manage and
the clients work great (SecuRemote has lots of user issues). They allow
secure split tunneling, unlike SecuRemote (which leave the clients open
to connections on the Internet). They also have lots of filtering
capabilities. Nortel will be adding FW-1 to the switch as an upgrade (I
have no details on this, though).
Network Appliance has some cool products, too, but they're not firewall
related.
Jen
"Randall, Mark" wrote:
>
> Personally, I'm recommending the firewall appliance type of solution.
The
> very thread on stripping an OS for firewall use is one of the big
reasons.
> These appliances are built stripped and that isn't likely to change.
>
> My biggest reason is simply that I don't want to see a client tempted
to
run
> another service on the firewall box. I can just imagine a company
that
runs
> into budget constraints and wants to add network services...they see a
> perfectly good server sitting there and it's not doing anything but
running
> the firewall, right?
>
> Forget the NT vs. UNIX debate. I'm tired of arguing with people that
> blindly follow Microsoft and refuse to deal with the technical facts.
We
> push the idea of a network appliance. Power cable and network
connections
> with perhaps a power switch on it. ;-)
>
> -----Original Message-----
> From: Wong Chun Meng [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 21, 1999 3:37 AM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Subject: Why not watchguard 2 ? (read on)
>
> Seeing as the ongoing debate on "why not NT" is getting repetitive (on
some
> points IMHO), why not use a blackbox to solve the problems of a
> weak/misconfigurating an OS. With a blackbox, you don't have to worry
> anymore on the OS (if you trust the strip down Linux OS in watchguard
that
> is) but just the configuration of the firewall. So now we have the
question,
> is watchguard 2 any good? Is it on par with Firewall-1 (on a solaris
for
nix
> sake) in terms of the firewall security (regardless of securing
solaris
ok)?
> I was hoping you guys can give me some input on this.
>
> As I see it, some of you guys might argue to have the ability to have
some
> control over the OS. Why so? Is it really important to have full
control
of
> the firewall OS? I can think of one reason actually, but it's not
really a
> big issue... so my question again, is it really essential?
>
> TIA for any input. I'm actually presenting this argument to some
> vendor/clients. So any comments is deeply appereciated.
>
> Wong.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
