mailing list archives
RE: Borderware - will it handle a 10mb pipe worth of traffic?
From: "PAZ (Ariel Pisetsky)" <ariel () sys-security com>
Date: Sat, 11 Nov 2000 13:42:38 +0200
Borderware is a fine product. That said, I allow myself to say that it isn't suitable for anyone, especially those how
seek fine tuned rule bases.
I was a Bordareware implementor in the past, and still use the product today. As other products have advanced,
Borderware didn't. I believe that it should be used as a secure mail or DNS gateway and not as a firewall (maybe that
is way the new line of products based on the firewall was developed by Border?). The firewall product is very strict,
hence any special rule (they aren't called rules in the Border terminology, they are called a Proxy) is a battle of
wits with the firewall. The case might be that you cant actually create a external to internal "Proxy" the way you
wrote you wish, since the firewall allows only external connections to the DMZ (SSN in Border terminology). Unless you
use the firewall IP for the job (this means that you can use only one IP).
One may want to examine the Border statement that the firewall is a Proxy. In lab tests that I conducted the HTTP proxy
wasn't as effective in finding bogus HTTP connections. It was enough for the port to be 80 and the connection could
pass through. Even Check Point, that don't claim to be a proxy level firewall have better capabilities with their
"Secure Server" configured to check HTTP connections.
I don't intend to slam the Border firewall product, as I stated at the beginning of this mail "Borderware is a fine
product". I just don't think of it as a firewall anymore, since other products give much more granular capabilities.
From: Mick Munroe [mailto:mick () HALEX com]
Sent: Saturday, November 11, 2000 12:41 AM
To: 'firewall-wizards () nfr com'
Subject: [fw-wiz] Borderware - will it handle a 10mb pipe worth of traffic?
I'm looking for a solution to replace my current firewall, and have been
looking at many options - a lot of which cannot handle my requirements, now
I'm looking at Borderware, and was wondering if anyone can give me more
information on the pros/cons of Borderware.
What I need to accomplish:
1: Be able to assign 254 addresses to the external nic.
2: Be able to transfer external traffic from a specific external IP to a
specific internal ip BASED on port value.
Keep in mind that for a given external IP it could be forwarded to more than
one and in some cases as many as 6 different internal servers based on the
port value. (for example I have an HTTP server, SMTP server, FTP server,
Custom application server - all use a specific different port from each
other, and all use the same external ip address.) ...I hope this makes
3: Be able to transfer external traffic to a network that is different (but
downstream) from the internal nic's network (for example, my internal
network is 192.168.1.xxx and I've got a remote office that directly connects
via ISDN to this internal network and it's network is 192.168.2.xxx, I need
to be able to transfer external traffic bound to a specific external address
to a specific internal address on the 192.168.2.xxx network, and again this
will be based on port value.)
4: VPN... I would like a solution that will bundle in VPN services but if I
have to then I'll look at another product that will do only VPN services.
Borderware has VPN capabilities but again I don't know how much traffic it
will be able to handle, my current VPN requirements are approximately 50-100
concurrent client to server VPN sessions.
5: Be able to handle 10mb worth of traffic going through the firewall.
6: My current solution is Linux based and I have well over 400 rules -
whatever I use to replace Linux has to be able to handle this number of
rules - actually it will have to be able to handle double this number as I'm
only half-way through my class C so far..
..Can't think of anything else. So Will Borderware be able to handle this?
(ver 6.1.2) Or will it choke? Will it run slow? (assuming of course I've
got a nice fast processor and lots of RAM.)
firewall-wizards mailing list
firewall-wizards () nfr com