Home page logo

basics logo Security Basics mailing list archives

RE: suggestions on a good firewall
From: "Mark Ng" <laptopalias1-mark () informationintelligence net>
Date: Tue, 20 May 2003 17:55:55 +0100


A Windows box, properly locked down, can be a reliable firewall.

There's an element of truth to that - but I'm not sure I'd want to be the
person locking it down or keeping up to date with patches ;).  I also
wouldn't recommend Windows unless in an HA pair.

There's also a very strong argument for openbsd and PF too (stability,
proven track record of security) - however, it's not as manageable as some
other solutions.

Locking it down can be a chore, a much easier chore with Win2003
server, but still takes some expertise and finesse.  I prefer

I've not yet had any experience with 2k3, so I can't possibly comment.

hardware firewalls with a firmware basis, as they're harder to
exploit, but many brands have reliability issues.  I'm currently
running Checkpoint and Gauntlet on Solaris, but this is a
production environment I've inherited.

If you're in the hardware firewall market, I quite like Netscreen and PIX.
Netscreen had some issues with some software upgrades being a bit buggy some
time recently though iirc, but on the whole, they're fairly solid firewalls
that are easy to administer.  PIX's of course don't have the pretty
graphical interface, but are solid firewalls.  I don't like Checkpoint, any
firewall that comes by default with "Hidden Implied Rules" doesn't wash with
me (is this still the case with newer versions of Checkpoint ?)

For a good, relatively inexpensive firewall, I'd recommend the
Linux-Mandrake firewall solution, running on commodity Intel
hardware.  Simple to set up, fairly easy to run, easy to maintain.

Smoothwall definitely has its merits in this arena - and by extension I'd
imagine IPcop does too.

2. What can my sysadmin handle ?  A Junior MCSE handed a

To be honest, I don't really think an MCSE with small amounts of job
experience should ever be handed main security responsibility.  There's
merit to outsourcing security functions in this event if you're too small to
justify full time security staff or experienced systems administrators with
security experience.  Any firewall configured badly is a bad firewall, be it
IPcop, Smoothwall, OpenBSD/PF , Checkpoint or whatever.



Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]