Personally, I'm quite fond of the SecureComputing firewalls (SideWinder and
SecureZone, not that 'Firewall for NT'). Application gateways running on a
hardened Unix (BSD) kernel with a 'nice' GUI interface, 'type enforcement'
(check out the site - www.securecomputing.com - for an explanation), IPSec
VPN and hotstandby.
These firewalls are very picky about their hardware, so make sure everything
is on the supported hardware list.
NOTE: this is not a recommendation for implementation (I don't know all
your requirements), it is just a recommendation for investigation.
-----Original Message-----
From: Jon Earle <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, February 29, 2000 7:03 PM
Subject: Re: Bug in Checkpoint FW-1 3.0 ?
>At 08:08 AM 2/29/00 -0500, you wrote:
>
>>This is, by the way, one of the kinds of problems cited by those of us who
>>believe that stateful inspection firewalls are generally insufficient for
>>serious security. Every time you read marketing literature about how a
>>Firewall-1 firewall is "application aware" think about this. Every time
>>you read about all of the services that are "handled" by the firewall,
>>think about this. This is the sort of thing that is difficult to get right
>>in a packet screening firewall unless you are dedicated to rewriting
>>TCP/IP in the content filtering engine.
>>
>>Everything is simpler and easier with a stateful inspection firewall,
>>including shooting oneself in the foot.
>
>So, what do you suggest then, for a client who wants a Windows NT based,
>"Off the Shelf", commercial grade solution for roughly the same price?
>
>We're currently running a FreeBSD, TIS FWTK solution which works _really_
>well. It has been decreed however, that it is outdated and due for
>replacement (I have no say in this decision). So... I've evaluated
>Firewall-1 and Raptor. I found Raptor to be a low quality product, with
>poor documentation, that didn't work as advertised. I've set up Firewall-1
>for other clients, and it seems to be doing the job quite well. It's easy
>to manage, and aside from the painfully slow logging interface, appears
>quite reasonable. It works as advertised, and comes with good
documentation.
>
>Cheers!
>Jon
>-----------------------------------------------------------------
>Jon Earle (613) 612-0946 (Cell)
>HUB Computer Consulting Inc. (613) 830-1499 (Office)
>http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
>
>"God does not subtract from one's alloted time on Earth,
>those hours spent flying." --Unknown
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
