Pieter, To convince the management you can look at the services running on the firewall and prove that they need to be upgraded because in the recent years people found flaws in the used technology or running services. Basically management need to learn that you need to keep up with the technology to be, or feel, secure. Otherwise you can sit and wait to be penetrated at some point (maybe this already happened without your knowledge about it).
IMO a checkpoint FW-1 is a pretty expensive solution to replace a FreeBSD firewall. There are also probably some tools for linux or IPFilter (firewall package runs on latest FreeBSD distros) that can suite your needs. If you ask me the rulebase of a IPFilter or PF based firewall is pretty straight forward and after reading the HOWTO it shouldnt be a problem to install a good rulebase on the new firewall. If you are now running a FreeBSD firewall then there shouldnt be a real problem in running a new FreeBSD install with a new and better firewall package. Anyway... food to think about.. Regards, Brenno > -----Original Message----- > From: Pieter Blaauw [SMTP:[EMAIL PROTECTED]] > Sent: woensdag 20 maart 2002 8:04 > To: [EMAIL PROTECTED] > Subject: Firewall RFI & info > > Hi guys > > If this is OT, send someone over with a spiked club to teach me, but I > thought I'd ask this list. :) > > The current .co I work for has a set of firewalls being 'x' yrs old, > still based on FreeBSD 2.2.6 with some friendly interfaces etc. At the > time of their purchase much of it was a 'gholf course decision'. Now for > the new budget period we're trying to justify spending the money on > upgrading the units to Checkpoint's FW-1. In a RFI I sent it, it came > out on top, and while a FreeBSD / Linux solution would be great, not > enough people understand it to make hand-over and maintainance of it > easy enough. Also not all the functions on the RFI was needed, making it > not a powerfull enough object for argument over the older units. > > Can anyone assist me in advice in how to prove to management without a > doubt that the older units are in deed worth replacing? While I can > prove 'x' amount of nmap scans, not to mention the lack of stateful > inspection in the boxen, this is not convincing enough. I'm looking for > someone with some business savvy that may know of a whitepaper on such a > problem or anything of help. > > Kind regards > Pieter > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
