Mickey, A 36,000 node network would feature much more than a single point of entry, more than a hardware firewall, and certainly more that redundant appliances with different types of OS behind each. Speed is not the question here. Throughput vs. security... I thought this was hardware vs. software....
Best Regards, Jonathan Goetsch ComIT Solutions, Inc. 949-252-5351 Office www.comIT.org [EMAIL PROTECTED] Member, Board of Directors: www.aipoc.org -----Original Message----- From: Mickey S. Olsberg [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 12:01 PM To: 'Phil Kramer'; [EMAIL PROTECTED] Subject: RE: Hardware Firewall vs Software Firewall I agree wholeheartedly with Phil's opinion, but would add one note. The only case in my opinion which justifies the speed over security is very-high bandwidth applications, such as a certain place I know that contains 36,000 nodes behind its firewalls. Still, you must weigh the need for security against the need for speed, and security should *always* win. Mickey -----Original Message----- From: Phil Kramer [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 8:23 PM To: [EMAIL PROTECTED] Subject: Re: Hardware Firewall vs Software Firewall My personal opinion is not hardware vs software, but what firewall is most secure. You can talk about PIX, CheckPoint, Linux with IPtables, IPchains and IPfilters but from a security point of view a pure application proxy is more secure. How many people can notice a 20 ms pause? If you want speed get a router with ACLS, that's what PIX is. All these stateful inspection/packet filter technolgies work at too low a level (layers 2-4) to provide enterprise security. For web servers, mail servers etc. you need layer 7 checking. Phil Kramer, SANS GSEC Systems Solutions Technologies, LLC Phone: 615-646-5766 email: [EMAIL PROTECTED]
