> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: April 1, 2003 19:12 > To: [EMAIL PROTECTED] > Subject: Hardware vs Software Firewall/Router > > I work for a consulting company that services businesses with > 30 to 200 clients. Our IT Manager likes to use a Linksys, or > a 3Com hardware firewall solution. He is also thinking of > introducing the Symantec Raptor (I could be incorrect on the > name) software solution. We are mostly a windows based firm > with little *nix experience, so most software solutions are > out already. My reason for posting is: I would like to > provide a valid argument for not using a software solution, > and making our hardware solutions a little more �upscale�, > say PIX, Nokia, Checkpoint etc. The IT managers argument is > that he finds far less vulnerabilities in the software > solutions or the Linksys and 3Com than what he does in the > PIX etc. I am of course familiar with all of the basic > differences, I am more so looking for valid argumentative > points. Any input would be greatly appreciated.
Well, let's see. First of all, Checkpoint IS a software solution. Nokia is Checkpoint in an "appliance" package; Checkpoint's SecurePlatform offering is a hardened Linux distro with their software on it. (The strongest argument against "software" firewalls is that they may inherit vulnerabilities from the underlying general-purpose OS, and both Nokia and SecurePlatform address that. Microsoft's Proxy Server, for instance, required not just NT 4.0 but also *IIS* to be installed first so it could re-use components from that; I'm not sure that their ISA product doesn't have similar requirements.) NetScreen and PIX are other popular "appliance" firewalls, where the OS is not general-purpose or exposed. Between them, Checkpoint (including Nokia), NetScreen and PIX account for the bulk of the firewall market. (i.e., Other IT managers have found their arguments persuasive....) Raptor is probably #4. It takes a bit different approach to *how* to secure network communications, and for larger firms I would have some concerns that its performance is not likely to scale well. The LinkSys routers I've used have been adequate for a SOHO network, and that's what Cisco recently bought them for. I don't consider them a "real firewall" -- in fact, the way they misuse common firewall terminology leaves me in some doubt that the company could or would build a real firewall box. I would probably not consider them even for the low-end of your customer base, preferring something like a NetScreen-5. I have not seen an actual 3com router in 5 years. The company *can* build great products, but has not always done so. David Gillett ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
