> Yes you�re right concerning the deployment of this unit. But what if you
> have customers like "Oh-I-got-this-nice-Solaris-machine-why-not-install-a-
> Webserver-Ecommerce-insert-your-favorite-compromising-software-here".
> They exist :-(
[...]
> This is a general statement. If you are a firewall expert, you sell
> training as well. If you have resellers, you train them. No firewall
> protects from misuse of the admin...
There ya go. You negated your own point. Whether it's based on a known
operating system or not, no firewall has yet been able to protect itself
from dumb admins, and by dumb, I include the "lets-put-a-webserver-on-the-
firewall-because-then-it-will-be-secure". Good idea on the surface, but
not good from a security standpoint. What Nokia did was modify an OS that
has minimal software written for it and branded it their own. The problems
with that are that either they have to keep up with the security updates of
the kernel and OS itself, and the software that they want to run on it (FW-1)
also isn't written for it [so Checkpoint has to compile (and possibly rewrite)
their software for Nokia again after they've already written, compiled, and
tested it for consumer OSes that is more hardware independent].
> > > - more security
> >
> > I've yet to see a packet filter that allows blocking of, for instance
> > hostile ActiveX controls, could you also please quantify "more security?"
> >
>
> If you have a kind of interface to external proxy agents, this can be
> done with 3rd-party stuff.
So, if you have the hardware solution, you need to buy another [software-based]
solution that gives you what a completely software based solution does.
> > >- higher performance
> >
> > In my experience, you get performance, or security - not both.
>
> It should be balanced...
As long as you have the hardware, I don't think the performance hit that is as
noticable. You can really load down your routers with long access lists, but
the firewalls I've seen do just fine on fat pipes as long as the hardware (net
cards, processor, etc.) are up to snuff. [Note: I leave out any comparison of
cost here] You can get both performance and security -- but you end up paying
money for it. (It's like having your cake and eating it too.)
> > >- ease of use
> >
> > The trend toward "easy" firewalls without the appropriate policies
> > is what makes most firewalls useful only against simple attacks. The
> > problem with "even an idiot could install it" is that the uninformed
> > *will* install them. Then they'll put Web servers on the internal
> > network, open half a gazillion ports for streaming
> > media/Netmeeting/whatever comes next and *think* they're "protected by the
> > firewall."
>
>
> > geologically unstable areas. Flash is still very expensive compared to
> > disk, and I haven't seen any of the appliance manufactures address local
> > logging without using a hard drive.
>
> Logging shouldn�t be done on the appliance...loginfos should be sent to
> the management server.
Assuming that the methodology of the firewalls you're installing have a
management server.
> > It's also worth noting that as routers and switches gain more security
> > features, and protocols become easier to tunnel over and increasingly
> > necessary, "hardware" and "appliance" firewalls have no utility after
> > they're obsolete. You can always redeploy a Sparc to become a Web
> > server, file server or Quake server.
>
> ...or install it on the firewall itself...it has been done :-(
The theory of hardware/appliance firewalls not based on normal hardware is that
they won't every become obsolete... <insert other marketing mumbo-jumbo here>
// chris
[EMAIL PROTECTED]
*************************************************************************
Chris Tobkin [EMAIL PROTECTED]
Java and Web Services - Academic and Distributed Computing Services - UMN
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"Nothing great was ever achieved without enthusiasm."
- Ralph Waldo Emerson, poet, writer, and philosopher
*************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
