Home page logo

basics logo Security Basics mailing list archives

RE: suggestions on a good firewall
From: "dave" <dave () netmedic net>
Date: Fri, 23 May 2003 21:24:35 -0400

Did we not just have this same Argument/Topic last month?  I believe we
brought up the point that even appliances have an OS of some-sort.
Otherwise we would have to replace the whole appliance every time there was
an update.


Dave Kleiman
dave () netmedic net


-----Original Message-----
From: wjnorth [mailto:wjnorth () earthlink net] 
Sent: Thursday, May 22, 2003 13:38
To: 'Mike Heitz'; salgak () speakeasy net; 'Mark Ng';
security-basics () securityfocus com
Subject: RE: suggestions on a good firewall


By far appliance based firewalls are far more effective then O/S based
firewalls. With O/S based firewalls the threat of not only
vulnerabilities within the firewall application itself, but also
multiple vulnerabilities associated with O/S the firewall app is running
on, is very real.

Conversely, if the O/S is hardened (I've hardened both UNIX and Windows
O/S, by far Windows is the hardest) and the firewall app is locked down
(i.e. no http config, proper deny all statements are utilized, hardened
passwords, telnet eliminated, ssh implemented for remote session
configuration etc.) the threat is minimized.

The issue, in my mind, with choosing firewalls for most companies, tends
to come down to cost. Is it more or less expensive to purchase appliance
based firewalls rather then O/S based? And that really depends on a few

1. How much experience do the SA, or Network Admins have on the firewall
and/or the O/S as well
2. If O/S is chosen how long will it take to lock it down
3. How long will it take to lock down an appliance based firewall

I personally will opt for an appliance firewall hands down, some that
are pretty good (Cisco PIX...though this is a SW package running on
Cisco hardware, CyberGuard...though this does use a SCO kernel...but
implemented with multiple security levels, CheckPoint...though the best
one I've seen uses a Linux kernel). I've heard of a truly hardware based
firewall, but can't remember the name of it.

At any rate, this is just my experience/opinion

-Wesley North
Senior Information Systems Security Engineer
wesley.north () baesystems com

Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]