oh my god. this will become a monsterthread :)
On Sat, Apr 22, 2000 at 10:43:43AM -0500, Kelly Scroggins wrote:
> Hi,
>
> I'm new to the world of security. I've been lurking on this list, and
> reading on my own. As well as playing with Linux and my cable Internet
> connection. Which got me interested in security in the first place.
>
> My boss has asked me to investigate the various firewall/proxy solutions
> that would work for our company. I know there are some really
> experienced and knowledgeable people on this list. So I am seeking help
> from you in an informal survey.
>
> While money is a factor in the equation, as always, the purchase of
> Commercial products is a possibility. Open source (free) products such
> as Linux are being considered as well.
>
> If you could install (almost) anything you wanted, what would it be?
> And what OS would you prefer?
openbsd. why?
(http://www.openbsd.org)
1. its a BSD
2. it runs on multiple platforms(sparc,pc,hp ...)
3. it has a great firewall included (ipf) (far better then ipchains or
netfilter)
4. it's prerequisite is: security: it comes with telnet and other
cleartext daemons disabled. the code and the base-packages are read
for correctness by their developers. other system design goals have
secondary priority
5. it's small, per default. Linux in contrast comes with multiple CDs.
if you install the base system, it only comes with the really needed
programms.
6. it has a huge ports-concept (means, if you need any free software, there
is a really easy way to obtain it)
7. it has (in my eyes) the best file based intrusion detection system (mtree)
8 ...
The only malus for it: it's missing SMP support, but this will be in one
of the next releases as heard.
>
> For instance I know Firewall-1 is the most popular firewall product on
> the market. So ...
>
> Would you install Unix and Firewall-1?
If you have a minimum knowledge of unix/solaris: yes!
Means: if you know howto install unix software and how to mount and how to
setup networking under solaris.
>
> Linux and Firewall-1?
No. Linux is not safe per se. It's a nice desktop system but not really
prepared for use in security environments. It has lots of abilities, but
altogether make it a very unsecure system in my eyes.
>
> Would you install NT and Firewall-1?
No. I like the way FW1 behaves under solaris. You can configure almost all.
I think this combination I will not get with a NT.
>
> Or given the option to use a product such as Firewall-1 (or other
> commercial) would you even consider ....
>
> Linux and ipchains/squid?
ipchains has some major lacks:
- no dynamic back channels (only when using hacks)
- reject packets have wrong sender IP
- stupid packetfilter
squid is ok. but it's more or less a toolkit.
>
> In essence, if you are able to afford an commercial product, would you
> even consider an open source?
Yes.
In my eyes Firewall-1 has 3 strengths:
1. graphical user interface
2. may be combined with stonebeat
3. authentication
4. stateful inspection
If you don't need one of the 3 points you may consider ipf for instance.
If you have any protocols like rpc or multimedia protocols which you want
to be watched to keep the state, then FW-1 is a 'must' in my eyes.
>
> Is Linux and ipchains/squid/TIS FWTK/etc a security risk?
A linux out of the box always is. If you spend time and patch and check
configurations and use it as a standalone computer for firewalling and
squid with no other user shell access, it may be usable.
However, all said depends on your network design and your needs.
with kind regards,
Jochen Kaiser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
