Kevin... Thank you. You're right on. DHCP, NAT, Stateful, ACL's... and much more... it's about "Money" and what you're protecting (or trying to protect). After that it's about what you can handle and what time you're prepared to spend managing it. You get that straight... and you'll know with a quick search what is best for your needs.
Thankfully, people are buying firewalls left & right now and that's great for both people like yourselves who will work on them... and people who manufacture/sell/service them. I have built a business on providing customers with security products/services for years. I say "Bring it on and let it ride! Out JP -----Original Message----- From: Kevin Brown [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 5:22 PM To: Frank Dick; [EMAIL PROTECTED]; 'Mickey S. Olsberg'; 'Luke LeBoeuf'; 'satyam'; [EMAIL PROTECTED] Subject: RE: Hardware Firewall vs Software Firewall Ok, it's time for me to chime in on this one. Forgive me if I sound arrogant, but there is a LOT of misinformation on this list about firewalls (this is not aimed at Frank or any one person in particular for that matter, but rather this is a comment on the thread in general). As someone who has tested many hardware and software firewalls, I feel more qualified than the average Joe who has used Checkpoint his whole life. First, the PIX is not just a glorified a Cisco router with ACLs. I see that mentioned a lot on this list. It has a full stateful inspection engine, which the routers do not. Second, hardware firewalls are traditionally faster than software firewalls. Now, many vendors that offer hardware firewalls, such as Cisco, Lucent, Netscreen, etc. offer scaled down versions that will perform slower than their big brothers, but that is more of a licensing and pricing issue. Not everyone can afford a PIX 535. For a good performance analysis of several different firewalls, read this review. Disclaimer: I do NOT work for Opus One, but rather one of their "competitors". But this was an *excellent* performance comparison of many of the top firewalls on the market today. My only complaints are that the charts are a little confusing and TopLayer isn't really a firewall, but I guess it functions similarly enough to one. http://www.nwfusion.com/reviews/2001/0312rev.html Anyway, you will clearly see that the hardware solutions consistently outperformed the software solutions. My own tests, which have included Cisco, Checkpoint, Netscreen, Symantec, Lucent, Cyberguard, and others, have proved very similar results. In addition, there ARE more differences than just being glorified PCs running proprietary OSes (though the proprietary OSes is a big component). For example, the Cisco and Netscreen boxes use some ASICs. Some do run the aforementioned proprietary OSes, and some run tweaked, hardened commercial OSes (Cyberguard, Nokia). These ones may blur the line a little between hardware and software, but the vendors often do tweaking that greatly improves performance. Hardware firewalls also provide the complete package so you do not have to rely on 3 different vendors for support (hardware, OS, application). You can usually get all the necessary updates and patches from one single vendor. And I don't know of a single software firewall that even approaches Gigabit speeds, even when they aggregate performance across 4 NICs. All that said, does that make them better? No, not at all. As Frank already stated, Cisco (and others) rely on an external Syslog or WebTrends server for logging and reporting. That's fine if you need to eek out every ounce of performance from your box and can afford adding even more servers to your cabinet, but for those of us who work in smaller, more budget-conscious companies, we prefer a solution that provides everything in one package. Let's be honest, how many of us are using a 1.54 Mbps T1? Thanks to anyone who bothered to read through this drivel. I just wanted to provide some better insight into what the differences are. Brownfox -----Original Message----- From: Frank Dick [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 5:16 AM To: '[EMAIL PROTECTED]'; 'Mickey S. Olsberg'; 'Luke LeBoeuf'; 'satyam'; '[EMAIL PROTECTED]' Subject: RE: Hardware Firewall vs Software Firewall The Cisco Secure PIX is a high perfoming firewall, as it does nothing more than a basic firewalling (with VPN-Server). The PIX offers Statefull Inspection (tracking the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags), if you use other features (more content aware) or NAT, it will not beat other Firewalls in performance. Even logging is outsourced to a syslog-server as the PIX runs completely from flash memory. The PIX runs on Intel Hardware and a proprietary (Cisco IOS like) Operating System. "One of our main goals was to move our platforms to a purely embedded design, while using the fastest processors available," explains Adam Walb, manager of hardware engineering at Cisco. Based on Cisco specifications, Intel worked with Cisco engineers to implement a design based on the Intel® Celeron(tm) and Pentium® III processors, Intel® 440BX chipset, Intel® 82559ER Ethernet controller, and Intel® Boot Block flash and Intel StrataFlash® memory devices, integrated in a small form-factor motherboard. (http://developer.intel.com/platforms/applied/eiacomm/commfocus/ttm.htm) Pix 506 Processor: 1 x Intel Pentium MMX 200 MHz (troughput 8MBit/sec) . . . PIX 535 Processor: 2 x Intel Pentium III 1 GHz (throughput 1GBit/sec) You see, there is nothing mysterious about Hardware-Firewalls. I didn't followed this thread so I don't actual know if someone mentioned that hardware firewalls mostly do not need as much maintanance as software Firewalls. In general, Hardware Firewalls are not faster than Software-Firewalls, but easier to use as you do not have to install and configure the OS (initially installed by the manufacturer; updates via tftp (tftp) or Windows programms). In general the Hardware comes from other manufacturers than the Firewall (NOKIA, Cobalt(now SUN)), if you have problems nobody feels responsible and they will say that the problem is caused by the other manufacturer. Regards Frank -- PIRONET NDH Frank Dick - Head of eSecurity Theodor-Heuss-Strasse 92-100 - 51149 Cologne Germany Phone: +49 (0)2203 935 300 - Fax: +49 (0)2203 935 3099 mailto:[EMAIL PROTECTED] - http://www.pironet-ndh.com http://www.esecurity.de
