On Fri, 21 Jan 2000, Paul D. Robertson wrote:
> On Fri, 21 Jan 2000, David Lang wrote:
>
> > This I have to comment on,
> >
> > WHY IN THE WORLD DO COMMERCIAL FIREWALL VENDERS DECIDE THAT YOU HAVE TO
> > HAVE TWO MACHINES TO RUN A FIREWALL??????
>
> Ouch, you didn't have to shout ;)
>
> > nowdays you need one box to run the firewall and a "management" box to
> > configure the firewall (and most of them require that the management box
> > be a NT machine even you are installing the unix versin of their firewall.
>
> Yep, mostly because (and this is pure conjecture, but with the benifit of
> having sat in meetings with groups of customers of at least one vendor)
> large companies with multiple firewalls want to manage them all centrally.
> Rather than reproduce the code in two places, they lump it all in one,
> where they only have one version of OS support to deal with. This helps
> get big sales and cut support costs. Smaller customers, or decentralized
> customers lose out.
>
actually we are not that small a company as far as firewalls are
concened. As our network was designed while using linux firewalls it was
designed with the idea that "firewalls are cheap" and KISS (why make one
firewall connect three networks where a misconfiguration could connect the
wrong two networks when you can just use two firewalls, now it takes two
misconfigurations to connect the two) and as a result we have over 20
firewalls through our networks. I looked at the "enterprise
management" consoles from the various firewall vendors the middle of last
year (management mandated changing to a commercial firewall
throughout) and found that all they really do is put all the configs on
one box, each one really does need to be managed independantly.
> > a firewall based on the FWTK with a Raptor firewall`, this is an internal
> > firewall that is passing odd stuff so I am limited to useing the plug-gw
> > or Generic Service Proxy (I realize this provides limited security, but it
> > does port/IP limits and IP isolation, no non-custom proxy or firewall will
> > do any better) With the FWTK I needed to add 1 line to two files (proxy
> > config and startup) and much of this can easily be scripted with Raptor I
> > need to go to 5-6 different windows and make ~30 mouse clicks that cannot
> > be scripted to do the same thing. But Raptor is "better" it is "easier to
> > manage" becouse it is a commercial product and has a nice GUI
>
> I'd bet that if you diff the config files before and after, you'd find a
> way to script it unless Raptor has completely changed over time. It's
> been a bunch of years since I configed a Raptor box though.
Raptor now has some sort of checksum on the files to make it harder to do
that. it can probably still be done, but i have not had the time yet to
track it down.
David Lang
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
