I have been looking at some firewall reviews, and Network World did a
pretty good one a couple months back. The information should still be
fairly fresh.
Check it out at http://www.nwfusion.com/reviews/2001/0312rev.html
There's also a compar-o-matic section where you tally off the features you
want, and then can compare the products they tested directly. It's very
nice. You can find this at
http://www.nwfusion.com/bg/firewalls/firewalls.jsp
Professionally, I've only used the PIX firewall. If all you're doing is
allowing port 80 traffic through to a web server, this would be more than
adequate. Of course, so would a linux box using iptables. There were two
things I particularly didn't like about the PIX firewalls:
1) Turning on debugging so that you could actually see what was happening
realtime caused severe performance degradation. We all live in the real
world and there are times when someone says they cant' get through, and
even though your conduit is there you need to be 100% sure.
2) I am a big fan of CLI, but when you get more than about 6 conduits
(Cisco-esque for opening a hole) it becomes very hard to draw a big
picture by looking at it. On some of the PIX firewalls I maintained there
were around 300 conduits. It took me hours to audit my rules. Cisco does
have a GUI which is supposed to ease this pain, but I didn't have that
luxury so I can't speak of its blessings or problems.
3) On the software I used, 4.3, the PIX drops any packets specifying
extended IP options. You CANNOT turn this feature off. I ran into a
problem where an AIX box was specifying extended options and the PIX was
simply dropping the packets (it did log it to let me know), and there was
no way to get them through.
On the whole, the PIX did do what it was supposed to. Currently I'm
looking at getting a Checkpoint firewall.
On Wed, 2 May 2001, Rob wrote:
> Hi,
>
> I regularly administer some FreeBSD servers, and more recently (as specified
> in another email) I will be required to implement several firewalls.
>
> From what I 'hear' everyone seems to go the hardware based firewall route -
> with Cisco having the most well respected name (at least for marketing
> purposes).
>
> I like BSD, I have been very impressed with the stability and security of
> the system. We don't generally see NT boxes on our network with >100 days
> uptime, but this seems to be quite common with BSD. I would be interested in
> looking into using FreeBSD with IPFW for our firewalls - but I am interested
> in your opinions.
>
> What are the advantages of using IPFW over say Cisco's products? What are
> the disadvantages?
>
> What experiences have you had of using either?
>
> Are there any comparisons on the net?
>
> Many Thanks
> -Rob
>
> --------------------------------
> http://www.robhulme.com
> http://www.christianunion.org.uk
>
> "...and scantily clad females, of course. Who cares if it's below zero
> outside." -- Linus Torvalds
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
