Hi Paul,
On 21 Jan 00, at 10:33, Paul D. Robertson wrote:
> On Fri, 21 Jan 2000, Frank Heinzius wrote:
>
> > We prefer dedicated appliances in contrary to firewalls based on general
> > purpose OS for the following reasons:
> >
> > - more stability
>
> I've had general purpose OS-based firewalls with 7-800 days of uptime
> before dropping them to put in a new NIC which was followed by another
> couple years of uptime- I've also heard horror stories of early appliance
> implementations dropping every few weeks, care to quantify "more
> stabiltiy?"
Yes you�re right concerning the deployment of this unit. But what if you
have customers like "Oh-I-got-this-nice-Solaris-machine-why-not-install-a-
Webserver-Ecommerce-insert-your-favorite-compromising-software-here".
They exist :-(
>
> > - more security
>
> I've yet to see a packet filter that allows blocking of, for instance
> hostile ActiveX controls, could you also please quantify "more security?"
>
If you have a kind of interface to external proxy agents, this can be
done with 3rd-party stuff.
> >- higher performance
>
> In my experience, you get performance, or security - not both.
>
It should be balanced...
> >- ease of use
>
> The trend toward "easy" firewalls without the appropriate policies
> is what makes most firewalls useful only against simple attacks. The
> problem with "even an idiot could install it" is that the uninformed
> *will* install them. Then they'll put Web servers on the internal
> network, open half a gazillion ports for streaming
> media/Netmeeting/whatever comes next and *think* they're "protected by the
> firewall."
This is a general statement. If you are a firewall expert, you sell
training as well. If you have resellers, you train them. No firewall
protects from misuse of the admin...
> geologically unstable areas. Flash is still very expensive compared to
> disk, and I haven't seen any of the appliance manufactures address local
> logging without using a hard drive.
Logging shouldn�t be done on the appliance...loginfos should be sent to
the management server.
>
> It's also worth noting that as routers and switches gain more security
> features, and protocols become easier to tunnel over and increasingly
> necessary, "hardware" and "appliance" firewalls have no utility after
> they're obsolete. You can always redeploy a Sparc to become a Web
> server, file server or Quake server.
...or install it on the firewall itself...it has been done :-(
Have a nice Weekend!
Kind Regards / Mit freundlichen Gruessen,
--
Frank M. Heinzius MMS Communication AG .~.
mailto:[EMAIL PROTECTED] Eiffestrasse 598 /V\
http://www.mms.de 20537 Hamburg, Germany // \\
Phone: +49 40 211105-40 Fax: +49 40 210 32 210 /( )\
-- spam forbidden -- -- PGP key available -- ^^-^^
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
