Re: Differences between firewall-packages like FW-1 and packetfilter

[Chris Brenton <cbrenton () sover net>]

Andreas Pretzsch wrote:
> I looked at some firewall-packages like FW-1 and I just don't see THE
> big difference to a packet filter like in Linux 2.2/2.3 combined
> with some GUI and some logfile-parser.

The difference is mostly fail over, integrated VPN solution,
authentication, commercial content filtering, etc. Of course:
A) Do the features actually work?
B) Does it really make sense to integrate them?

is a whole other topic thread. ;)

> Taking a closer look at the packet filter in later Linux 2.3.x (or to be
> more precise, the interface to it, iptables),  I have the feeling this
> packet filter includes everything you could do with ip-packets and the
> typical protocols based on it. Same applies to the protocol-level-filters
> avivable.

Funny, I just got back from instructing the SANS perimeter security
course where I was making the same kind of commentary. ;)

> What advantages could I get from buying a tool like FW-1 instead of
> using a glued-together solution based on iptables, a gui and a few
> reporting-scripts ?

see above, although swatch rules. ;)

> Is there anything FW-1 (or other packages like Gauntlet) could do for
> me the upper solution can't ?

*BIG* can of worms here... ;)

Let's just talk two products, FW-1 & iptables/NetFilter since they are
both based on the same type of technology:

Both do stateful filtering. FW-1 maintains state on TCP & UDP only. I
would have to review iptables to see if it includes anything else but I
know it at least covers these two as well.

FW-1 has been around a bit longer so it would be considered more stable
(especially since iptables is beta software running on a beta kernel).
iptables is open source however so its easier to figure out if there are
any problems.

Problems posted to the iptables/netfilter mailing list are responded to
*very* quickly by the people who code the software. When's the last time
you've seen technical help posted from a CP mailing address to this or
any other list (including CP's own FW-1 list)?

FW-1 has a nice draw and configure GUI, iptables is all command line.
Personally, I prefer a command line but for a newbie trying to get up to
speed the ability to draw a picture of your network and have your policy
auto-generated would be considered a big plus. Of course this opens the
question "Should a newbie be configuring a firewall?" which is a
completely different debate. ;)

FW-1 has Stateful Inspection (TM) which allows you to screen packet
payload. iptables does not have this ability but it sounds like adding
hooks into the payload is being discussed as a potential feature. Of
course the problem with SI is:
A) The language is undocumented (maybe 5 people in the world fully
understand it)
B) SI changes with each FW-1 revision (combine with "A" and this is bad)
C) CP support will not talk to you if you've modified SI yourself

The big difference for me is the logging ability. FW-1 only logs the
first packet, does not report header info beyond IP & port numbers, and
in some cases lies about what it lets through and what it does not.

iptables logs with the same amount of detail as ipchains, so you see
every packet including flags, TOS, etc. The only thing missing is
payload (you need an IDS for this).

Of course we talking "core" features here. As mentioned above FW-1
includes more integrated features so long as your willing to pay for
them.

> Let me make one restriction: I'm only talking about small and simple
> firewalls, not the huge thing altavista might need ...

Not sure this applies as a firewall is a firewall is a firewall. The
rest are bennie features although I would *love* to see a performance
comparison between FW-1 on Linux vs. iptables to see which one cries
uncle first. ;)

HTH,
Chris
-- 
**************************************
cbrenton () sover net

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/