Re: client firewall recommendations

[Paul Stewart <paul () lexnetinc com>]

In-Reply-To: <20031006181739.27534.qmail () sf-www2-symnsj securityfocus com>

In an outbound only configuration, the main advantage that I can see is stateful packet filtering.  When using a simple 
nat gateway like linksys or dlink, what you have is translations that are set up at connect time.  These are tracked on 
a port by port basis.  

This happens as well on a pix.  However, in addition, the pix tracks the state of the packets and closes the temporary 
hole as soon as it is safe to do so.  Also, the packets are compared to what the Pix thinks its sequence numbers and 
other attributes of the packet should be.  This is not the case on the inexpensive solutions.  

Another thing to consider is have you installed a pix before.  The command line is non-intuitive, if you have not used 
it before.  Newer Pix version have a web interface installed by default, but I never configure them using that method 
and will therefore not comment on it.

> Received: (qmail 4133 invoked from network); 6 Oct 2003 20:28:13 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 6 Oct 2003 20:28:13 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 3947EA35FF; Mon,  6 Oct 2003 14:19:40 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 26633 invoked from network); 6 Oct 2003 12:14:00 -0000
> Date: 6 Oct 2003 18:17:39 -0000
> Message-ID: <20031006181739.27534.qmail () sf-www2-symnsj securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: Dana Rawson <absolutezero273c () nzoomail com>
> To: security-basics () securityfocus com
> Subject: client firewall recommendations
>
>
>
> Please forgive me for asking such a basic question, but I can't seem to find the answers I'm looking for.
>
> I have a client installing a cable modem at his business.  He called me up asking if I would bless the installation of 
> a Linksys BEFSX41 EtherFast firewall at $75 that co-workers recommended, after I recommended the Cisco PIX 501 at 
> $500+.
>
> That would be acceptable to me if it were as secure as the PIX 501. Trouble is I haven't got experience with either 
> product to have a preference, and I would rather not make a recommendation without having more knowledge, and possibly 
> be held liable in the future should a security lapse occur.
>
> Is one more secure than another?  
>
> Thanks in advance.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------