-----Original Message-----
From: mouss
>At 18:50 23/09/00 -0400, [EMAIL PROTECTED] wrote:
>>Never heard of effnet firewall. I recommend going with a name brand
like
>>Cisco PIX and Checkpoint.
>
>What I don't like here is the argument.
>Just because you never heard of doesn't make it bad.
That's possibly true. On the other hand, there is great virtue in using a
product (free or otherwise) that lots of people are actively using. Such
products tend to have the "problems" found and fixed quicker than an obscure
product. YMMV.
What I have problem with is your followup:
>Besides,
>- Checkpoint do not support NetBSD (dunno what PIX OS is).
What has this got to do with anything?
If this is some backhanded way of saying that only open OSes can possibly
securely support a firewall, Checkpoint (and Raptor, for that matter)
support Linux. If your argument is that "only open source == secure,
period", then you wouldn't want Checkpoint, et. al., anyway. If the
argument is that only NetBSD is secure, well, I would conjecture that that
isn't a universal opinion.
>- Effnet is probably faster
Why is it that people consider speed a security attribute? That's less
relevant than saying a firewall is "better" if it's "easy to use". At least
an "easy to use" firewall has the possibility of reducing mistakes by the
administrator. Speed and security are tradeoffs against one another, not
compliments.
There are a class of users for whom the security versus speed trade off is
relevant (very high data rate connectivity and/or extremely complicated
security policy). Alternatively, those who insist on running their firewall
on a Mac SE/30 (don't laugh...I've got friends that do) will be concerned
with a firewalls efficiency.
However, the *vast* majority of firewall users will overrun their upstream
link long before they overrun their firewall. I would strongly suggest that
firewall users should be asking "what is the most secure solution for my
policy" followed by "what is the most manageable solution to my policy"; "is
this firewall the fastest" is almost irrelevant when one looks at things
objectively.
Of course...that's just my opinion.
Ken Seefried, CTO & Founding Partner, DigitalMoJo
Information Security Management, Training & Consulting
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
