2000-01-22 rym:
> If you were to choose a firewall software that runs on Solaris
> SPARC what would it be? Is this software easy to administer and
> install?
As is so often the case, I agree with everything Paul said.
Just like to add a bit more.
I can't agree too strongly with his point that you should specify
what you need the firewall to do, before you begin choosing your
firewall. Try and keep as much as possible out of the requirements;
if you've got some external constraint that requires the firewall to
be running on Solaris/SPARC, well, there are fine firewalls that run
there, but you've still cut down your range of choices considerably.
The first thing I like to do, when trying to specify a firewall, is
get at least a crude and rough cut at the security policy you're
planning on implementing. A great many sites can choose from one of
these two as a starting point:
(1) Prohibit all direct network connections between the inside and
the outside. Allow everyone proxied email, possibly with content
stripping. Run separate DNS for inside and out; inside DNS can't
resolve outside hostnames. Run explicit and non-transparent
proxies for other select services, e.g. http. Strip active
content (embedded programs) out of inbound html in the http
proxy.
(2) Allow nearly all protocols outbound. Proxy select inbound
services.
The first stance is typical for a financial institution. It's
appropriate when security is paramount. It prevents users from
getting at some protocols; anything with a poor security model will
never be allowed through a tight firewall.
The second stance is typical for firm where access to the internet
is regarded as critical to the business, and security is more of an
afterthought. A lot of dotcoms run this way. In this second stance,
the firewall is often used as much to get extra address space (by
NATting from RFC-1918 addrs) as to tighten security.
If the first security stance sounds more appealing, there's a good
chance that a firewall solution based on proxies may make you
happier than one founded solely on packet filtering.
The more detail you can get into your security policy before you
shop for the firewall, the happier you'll be with your shopping
decision, since you'll be better able to choose a firewall that can
implement exactly what you want.
The other big determinant is performance, in all its many aspects.
Do you require high-availability (i.e. multiple firewall boxes, with
service transparently and automatically failing over to a backup if
the primary dies)? Do you need load balancing --- are you going to
scale past the capacity of a single machine?
What kind of external connectivity are you looking to firewall? Is
your external network link a 56k modem dialup? A T1? A 100MB link
right into the backbone? Or something else?
What kind of user load are you thinking about? Do you need to
firewall for half a dozen users, who aren't in a hurry? Do you
have 30,000 people, many of whom are going to be wanting to run
streaming multimedia through your firewall?
Re-ask your question "what's the best firewall" with as much more
detail as you can assemble, and you may get some informed
recommendations.
-Bennett
PGP signature
