Hardware Firewall Recommendation

Archived from groups: comp.security.firewalls (More info?)

Greetings,

I've been charged with the task of picking out a firewall appliance for
a group of about 100 systems. We don't need anything too fancy, but we
would like an easy to use VPN setup. I can spend ~$1000. If anybody
could point me to a few models to look at, that'd be great. I've
searched for reviews and feature comparisons, but I haven't had much
luck. Thanks!

--Steve
33 answers Last reply
More about hardware firewall recommendation
  1. Archived from groups: comp.security.firewalls (More info?)

    Steve,

    I've worked with a WatchGuard Firebox recently. I was managing a WAN
    comprised of just a half dozen LANs connected by frame-relay--just a small
    network really. However, I must say I was rather impressed with the
    Firebox--great interface, set-and-forget configuration, etc. If you haven't
    been to their Web site, they have a Flash presentation. I think this is the
    link:

    http://www.watchguard.com

    Best regards,

    Todd Shillam
    Information Technology Consultant
    Shillam Technology
    WWW: http://shillamtechnology.point2this.com


    "Steve Taylor" <staylor@uidaho.edu> wrote in message
    news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
    Greetings,

    I've been charged with the task of picking out a firewall appliance for
    a group of about 100 systems. We don't need anything too fancy, but we
    would like an easy to use VPN setup. I can spend ~$1000. If anybody
    could point me to a few models to look at, that'd be great. I've
    searched for reviews and feature comparisons, but I haven't had much
    luck. Thanks!

    --Steve
  2. Archived from groups: comp.security.firewalls (More info?)

    In article <caqjf0$v2$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
    says...
    > Greetings,
    >
    > I've been charged with the task of picking out a firewall appliance for
    > a group of about 100 systems. We don't need anything too fancy, but we
    > would like an easy to use VPN setup. I can spend ~$1000. If anybody
    > could point me to a few models to look at, that'd be great. I've
    > searched for reviews and feature comparisons, but I haven't had much
    > luck. Thanks!

    The firebox III/700 from WatchGuard is a good unit, but it's about $1600
    retail (USD). It has everything you could need including VPN remote user
    and branch office VPN ability. One of the nicest features, if you have
    your own email server, is the ability to strip attachments by extension
    from inbound email (before it gets to the server) - which prevents most
    virus's and worms from getting to your local computers.

    The Sonic units are also good, but I don't have current pricing on them.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  3. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 16 Jun 2004 16:00:47 -0700, Steve Taylor <staylor@uidaho.edu>
    wrote:
    >
    >I've been charged with the task of picking out a firewall appliance for
    >a group of about 100 systems. We don't need anything too fancy, but we
    >would like an easy to use VPN setup. I can spend ~$1000. If anybody
    >could point me to a few models to look at, that'd be great. I've
    >searched for reviews and feature comparisons, but I haven't had much
    >luck. Thanks!
    >

    As a reseller of the ZyXEL ZyWALL series of Firewall Appliances, I
    can't help it but recommend the ZyWALL 70.

    You may find more info about it at the ZyXEL website:
    http://us.zyxel.com/products/model.php?indexcate=1073271397&indexFlagvalue=1021873683

    For pricing, have a look at our website:
    http://shopping.nowthor.com/0760559104146.html

    Thanks!

    Carlos Antunes
    Nowthor Corporation
  4. Archived from groups: comp.security.firewalls (More info?)

    "Steve Taylor" <staylor@uidaho.edu> wrote in message
    news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
    > Greetings,
    >
    > I've been charged with the task of picking out a firewall appliance for
    > a group of about 100 systems. We don't need anything too fancy, but we
    > would like an easy to use VPN setup. I can spend ~$1000. If anybody
    > could point me to a few models to look at, that'd be great. I've
    > searched for reviews and feature comparisons, but I haven't had much
    > luck. Thanks!
    >
    > --Steve

    Unfortunately, for a network of that size, I think that realistically you
    should probably look at spending closer to about twice that, more in the
    $1500 - $2000 range. 100 systems is a decent number of systems, and you want
    gear that is designed for that type of environment rather than trying to
    shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
    gear you might want to check out:

    Sonicwall Pro 2040
    NetScreen 25 Baseline
    Watchguard Firebox X700
  5. Archived from groups: comp.security.firewalls (More info?)

    Alec wrote:

    > "Steve Taylor" <staylor@uidaho.edu> wrote in message
    > news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
    >
    >>Greetings,
    >>
    >>I've been charged with the task of picking out a firewall appliance for
    >>a group of about 100 systems. We don't need anything too fancy, but we
    >>would like an easy to use VPN setup. I can spend ~$1000. If anybody
    >>could point me to a few models to look at, that'd be great. I've
    >>searched for reviews and feature comparisons, but I haven't had much
    >>luck. Thanks!
    >>
    >>--Steve
    >
    >
    > Unfortunately, for a network of that size, I think that realistically you
    > should probably look at spending closer to about twice that, more in the
    > $1500 - $2000 range. 100 systems is a decent number of systems, and you want
    > gear that is designed for that type of environment rather than trying to
    > shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
    > gear you might want to check out:
    >
    > Sonicwall Pro 2040
    > NetScreen 25 Baseline
    > Watchguard Firebox X700
    >
    >

    Everybody, thanks for the suggestions so far.

    I think I could manage $1500-$2000. The Firebox certainly looks like a
    good candidate. Anybody else have an opinion on the Firebox?

    Thanks.

    --Steve
  6. Archived from groups: comp.security.firewalls (More info?)

    In article <casd0g$h8$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
    says...
    > I think I could manage $1500-$2000. The Firebox certainly looks like a
    > good candidate. Anybody else have an opinion on the Firebox?

    I hate to follow my own recommendation, but I've installed them at two
    state agencies, a utility company, a medical center, and about 30
    factories. I've also installed them at many assisted living centers,
    residences, small businesses, and know of one university that uses them
    in several areas.

    I have one in my own office and could not imagine anything better for
    the money.

    If you get one, and you have your own email server, make sure that you
    look into the SMTP Proxy for filtering attachments on inbound email - it
    will removed infectious attachments based on file extension (not
    actually detecting a virus) which has kept every client from being hit
    by any of the email viruses in the last 5 years.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  7. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    >look into the SMTP Proxy for filtering attachments on inbound email - it
    >will removed infectious attachments based on file extension (not
    >actually detecting a virus) which has kept every client from being hit
    >by any of the email viruses in the last 5 years.

    How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
    addresses and had no problems. Logged several attempts from (l)users
    clicking on the e-mail links, but their interest died as the link
    timed out.

    Also, I believe you manage multiple firewalls, so how do you push
    updates like that to them?
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <77p4d0ha0ms0ca1hdhrrbfd2njugm59tdh@4ax.com>, mrozium@XSPAMX-
    yahoo.com says...
    > Leythos wrote:
    >
    > >look into the SMTP Proxy for filtering attachments on inbound email - it
    > >will removed infectious attachments based on file extension (not
    > >actually detecting a virus) which has kept every client from being hit
    > >by any of the email viruses in the last 5 years.
    >
    > How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
    > addresses and had no problems. Logged several attempts from (l)users
    > clicking on the e-mail links, but their interest died as the link
    > timed out.

    Here is a description (from Symantec) of how it works:

    W32.Wallon.A@mm arrives as an email with a link in the message body. The
    email uses an Internet Explorer vulnerability, described in Microsoft
    Security Bulletin MS04-004, to display an obfuscated link. Clicking the
    link redirects the user to a Web site to download "wmplayer.exe" into
    the Windows Media Player folder. The Web site may attempt to exploit an
    Outlook Express vulnerability, described in Microsoft Security Bulletin
    MS04-013, to download and execute the file. Because the worm attempts to
    overwrite the Windows Media Player executable, any attempts to run
    Windows Media Player on an infected computer will execute a copy of the
    worm.


    Our users would have seen the email, since there was nothing but a link
    to it in a site, most would have just deleted the email - we send out
    messages every month about following links to things outside their
    company that come in email.

    For those that did select it, they would not have had a problem - we
    don't allow .exe or other types through the HTTP proxy service in the
    firewall.

    The WatchGuard firewalls have a HTTP proxy service that lets me
    deny/approve the following:

    1) Settings:
    Remove Client Connection Info
    Remove Cookies
    Deny Submissions
    Deny Java Applets
    Deny ActiveX Applets
    Remove unknown headers
    Log accounting/auditing information
    Require content type
    Idle timeout xxxxxx seconds

    2) Safe Content:
    Allow only safe content types
    (you can add types based on mime specs)
    Deny Unsafe Path Patterns
    (add site paths you want to block, not sites)

    3) Web Blocker - used to specify what content can be viewed
    4) Web Blocker Schedule - enable/disable at programmed times
    5) Web Blocker Operational Controls (what to filter when ON)
    6) Web Blocker non-Operational Controls (what to filter when OFF)
    7) WB Exceptions (permitted, denied) Add IP as needed

    For SMTP I have two filters - one is the Firewall SMTP service and the
    other is (depending on what email server they have, is to use Symantec
    Small Business Edition with Exchange Filter).

    WG SMTP Options includes some of the following:

    INBOUND RULES
    1) General
    Idle Timeout (XXXXXX seconds)
    Max Recipients (XXXX)
    Maximum Size (xxxxxxx KB)
    Line Length (xxxxx bytes)
    Address Validation (RFC-822 Compliance)
    Allow Characters (list of chars you permit in email addresses)
    Allow 8-Bit characters
    Allow Source-Routed Addresses
    2) Content Types
    Allow only safe content types
    (specify permitted types)
    Deny Attachments based on file name patterns
    (you can specify any pattern, includes wildcards)


    There are many more, but you get the idea from this set. With these two
    rules (and I didn't show how I have them setup, sorry) We've been able
    to block 100% of all virus's and worms to date.

    > Also, I believe you manage multiple firewalls, so how do you push
    > updates like that to them?

    We've not had to update the firewalls, the rules, once in place, are
    something that covers all of the problems that already come up. If you
    block .EXE you never have to go back and update the firewall to keep
    users from downloading and running .EXE over HTTP/HTTPS or SMTP.

    One more thing that we do is set "Auto block sites that attempt to
    connect to this service" and we set rules for ports 135, 139, and 445
    for these auto-block sites. Just another way to make sure that infected
    machines don't get past the firewall.

    Most of our customers either installed Exchange 2000 or already had
    Exchange servers, the SBE/Exchange filter from Symantec has done wonders
    for those users - even without the firewall it includes RBL functions,
    key word filters, subject and body word filtering, virus scanning,
    attachment blocking, etc... Great product for Exchange.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  9. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    >For those that did select it, they would not have had a problem - we
    >don't allow .exe or other types through the HTTP proxy service in the
    >firewall.

    Hmmm...I'm not so sure I'd feel safe running non-firewall programs
    like a HTTP proxy on my firewall. I feel more comfortable using Squid
    or ISA behind the firewall on a separate device.

    >We've not had to update the firewalls, the rules, once in place, are
    >something that covers all of the problems that already come up. If you
    >block .EXE you never have to go back and update the firewall to keep
    >users from downloading and running .EXE over HTTP/HTTPS or SMTP.

    I see. That would never work in any environment I've seen, as all the
    companies and government entities I provide security for *must* be
    able to download files, including executables. Especially for M$
    updates. Users are only allowed to run approved programs, but that
    rarely ever stops today's worms/viruses. Of course, that's one reason
    why it's so important to employ a good anti-virus solution.

    Also, I'm surprised you don't update your firewalls (patches, not
    rules). I'd sleep better knowing my firewalls and the computers
    behind them were up-to-date.

    >One more thing that we do is set "Auto block sites that attempt to
    >connect to this service" and we set rules for ports 135, 139, and 445
    >for these auto-block sites. Just another way to make sure that infected
    >machines don't get past the firewall.

    I'm with you there, 100%, but I go way past that. Time and rule wise.
    Almost any kind of hostile activity will immediately ban that IP
    address for roughly 3 days.
  10. Archived from groups: comp.security.firewalls (More info?)

    On 19 Jun 2004 00:19:57 -0500, Micheal Robert Zium spoketh

    >Leythos wrote:
    >
    >>For those that did select it, they would not have had a problem - we
    >>don't allow .exe or other types through the HTTP proxy service in the
    >>firewall.
    >
    >Hmmm...I'm not so sure I'd feel safe running non-firewall programs
    >like a HTTP proxy on my firewall. I feel more comfortable using Squid
    >or ISA behind the firewall on a separate device.

    Some firewalls use application proxies rather than packet filters. So,
    that would make it very much a "firewall" program on the firewall.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  11. Archived from groups: comp.security.firewalls (More info?)

    In article <rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com>, mrozium@XSPAMX-
    yahoo.com says...
    > Leythos wrote:
    >
    > >For those that did select it, they would not have had a problem - we
    > >don't allow .exe or other types through the HTTP proxy service in the
    > >firewall.
    >
    > Hmmm...I'm not so sure I'd feel safe running non-firewall programs
    > like a HTTP proxy on my firewall. I feel more comfortable using Squid
    > or ISA behind the firewall on a separate device.

    The appliance has the proxy as one of the rules you can use - it's a
    better option than a system running a app to do it. Less chance of it
    breaking or being misconfigured - less chance of a parts failure too.

    > >We've not had to update the firewalls, the rules, once in place, are
    > >something that covers all of the problems that already come up. If you
    > >block .EXE you never have to go back and update the firewall to keep
    > >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
    >
    > I see. That would never work in any environment I've seen, as all the
    > companies and government entities I provide security for *must* be
    > able to download files, including executables. Especially for M$
    > updates. Users are only allowed to run approved programs, but that
    > rarely ever stops today's worms/viruses. Of course, that's one reason
    > why it's so important to employ a good anti-virus solution.

    AV is a day late in most cases - the definition files don't come out for
    the new viruses until a day after they hit the mainstream.

    The updates from MS can easily be configured to pass through the
    firewall - as I mentioned earlier, the blocking has exception lists and
    it's easy to configure exceptions for all blocking. We run updates every
    night.

    If you have your block rules setup properly your people will not be
    stopped from doing anything they are permitted to do, including updates,
    but they will be protected from almost all of the bad files out there.
    Remember, virus updates are reactionary, they don't protect you until
    the virus is "known" but the vendor that provides your updates.

    > Also, I'm surprised you don't update your firewalls (patches, not
    > rules). I'd sleep better knowing my firewalls and the computers
    > behind them were up-to-date.

    Up to date and needing an update are two different things - we don't
    blindly apply updates, even Windows updates, on every machine. When you
    look at the update, unless it does something for your needs you don't
    have to apply it. In the case of WG, there have not been any security
    related updates to the firmware in a long time. Yes, they've come out
    with newer rev's and nicer features, but the updates don't change
    anything in the security options that most of our clients setups.

    I'm sure you've seen updates, esp. from MS, cause problems - In general,
    every workstation at a generic desk updates every evening. Developers
    workstations update as the update is tested on a test machine. Servers
    get updates after the update is tested also.

    > >One more thing that we do is set "Auto block sites that attempt to
    > >connect to this service" and we set rules for ports 135, 139, and 445
    > >for these auto-block sites. Just another way to make sure that infected
    > >machines don't get past the firewall.
    >
    > I'm with you there, 100%, but I go way past that. Time and rule wise.
    > Almost any kind of hostile activity will immediately ban that IP
    > address for roughly 3 days.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  12. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen wrote:

    >Some firewalls use application proxies rather than packet filters. So,
    >that would make it very much a "firewall" program on the firewall.

    Really? Could you provide some examples? Thank you.
  13. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    >The appliance has the proxy as one of the rules you can use - it's a
    >better option than a system running a app to do it. Less chance of it
    >breaking or being misconfigured - less chance of a parts failure too.

    Understand that I'm not trying to be argumentative, but claiming that
    an appliance has the exclusive distinction of being less likely to
    fail or be misconfigured is taking great liberties with the truth.
    Anything that can be configured can be misconfigured. Just because
    it's "point-and-click" doesn't make it less likely to be
    misconfigured. The person responsible for the configuration is the
    mitigating factor here, not software. Untrained people should not
    configure firewalls. Parts failure is pretty much a non-issue. Do
    you run your servers on appliances? I've heard those battle cries,
    and quite frankly, neither hold much water today.

    >> >We've not had to update the firewalls, the rules, once in place, are
    >> >something that covers all of the problems that already come up. If you
    >> >block .EXE you never have to go back and update the firewall to keep
    >> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
    >>
    >> I see. That would never work in any environment I've seen, as all the
    >> companies and government entities I provide security for *must* be
    >> able to download files, including executables. Especially for M$
    >> updates. Users are only allowed to run approved programs, but that
    >> rarely ever stops today's worms/viruses. Of course, that's one reason
    >> why it's so important to employ a good anti-virus solution.
    >
    >AV is a day late in most cases - the definition files don't come out for
    >the new viruses until a day after they hit the mainstream.

    I agree, but I still use it. Don't you? Besides, it's hardly a
    firewall's job to provide anti-virus solutions. Otherwise, we'd be
    constantly updating our firewalls, right?

    >The updates from MS can easily be configured to pass through the
    >firewall - as I mentioned earlier, the blocking has exception lists and
    >it's easy to configure exceptions for all blocking. We run updates every
    >night.

    No, you didn't mention it. You said you block .EXE. I took you at
    your word. To quote your earlier post:
    >For those that did select it, they would not have had a problem - we
    >don't allow .exe or other types through the HTTP proxy service in the
    >firewall.
    And then later in the same post you said:
    >If you block .EXE you never have to go back and update the firewall to keep
    >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
    I wondered how you managed not allowing downloading .exe files. Now
    you have me wondering about why you would claim "set-and-forget", yet
    talk about configuring exceptions. Quite perplexing indeed. Please
    understand that I'm not trying to nit-pick you to death, but you've
    made some great claims, and I was wondering if I should jump ship. I'm
    far from being convinced. Maybe it's just me, but I see some glaring
    inconsistencies in your statements.

    >If you have your block rules setup properly your people will not be
    >stopped from doing anything they are permitted to do, including updates,
    >but they will be protected from almost all of the bad files out there.

    I couldn't agree more. But now you're straying waaaaay away from the
    simple "Less chance of it breaking or being misconfigured...".
    Unless, of course, your customers have simple needs when it comes to
    downloading executable files. A single customer of mine may have more
    than two dozen different programs on different computers and/or
    servers requiring updates or patches from as many (or more) sites
    and/or service providers. I guess my customer's requirements are much
    different than yours. Or, maybe your appliance has a magical rule
    applicator? Seriously, how would you manage without creating an
    exception for each requirement?

    >Remember, virus updates are reactionary, they don't protect you until
    >the virus is "known" but the vendor that provides your updates.

    I agree. You're preaching to the choir.

    >> Also, I'm surprised you don't update your firewalls (patches, not
    >> rules). I'd sleep better knowing my firewalls and the computers
    >> behind them were up-to-date.
    >
    >Up to date and needing an update are two different things - we don't
    >blindly apply updates, even Windows updates, on every machine. When you
    >look at the update, unless it does something for your needs you don't
    >have to apply it.

    I'm with you there (again) 100%. But how do you find the time to
    review and apply daily updates? Remember, you said:
    >In general, every workstation at a generic desk updates every evening.
    Like Lewis Carroll wrote: "Curiouser and Curiouser". Unless you mean
    you only blindly apply M$ updates to generic boxes.

    >In the case of WG, there have not been any security
    >related updates to the firmware in a long time. Yes, they've come out
    >with newer rev's and nicer features, but the updates don't change
    >anything in the security options that most of our clients setups.

    Ummm...ok. I'll take your word on that. I guess you don't use the
    V-Class products. This is taken from their site:
    >WatchGuard® Vclass products 22 April 2004
    >WatchGuard Vclass Version 5.1.1 sp1 includes security enhancements
    >to your product.
    Maybe it's not a firmware update. Wait, what else could it be?


    To basically sum it up, we both are trying to accomplish the same task
    (more or less), yet we use quite different methods and tools. For
    instance, you choose an appliance as a single point-of-failure, and I
    prefer to use specific tools for specific jobs. Choice is great,
    wouldn't you say?
  14. Archived from groups: comp.security.firewalls (More info?)

    Take a look at smoothwall express (free GPL) at www.smoothwall.org &
    Smoothwall Corporate Server (Commercial, supports express).

    I personally use express at home and have had no troubles, i would
    thouroughly recommend smoothwall to anybody in need of a GREAT
    firewall.

    samuel
  15. Archived from groups: comp.security.firewalls (More info?)

    On 20 Jun 2004 00:39:11 -0500, Micheal Robert Zium spoketh

    >Lars M. Hansen wrote:
    >
    >>Some firewalls use application proxies rather than packet filters. So,
    >>that would make it very much a "firewall" program on the firewall.
    >
    >Really? Could you provide some examples? Thank you.

    Symantec Enterprise Firewall (formerly Axent Raptor) uses proxies for
    several protocols, such as HTTP, SMTP, FTP, Telnet and possibly H.232.
    This allows for better control of what goes through the firewall, and
    that it complies with protocol specifications.

    For HTTP, that means you can block "port" while allow "get", as well as
    specifying url filters to prevent uploads/downloads of specific urls
    (one that was recommenced was to filter out cmd.exe to block out
    Nimda.Code Red).

    For SMTP, you had the option to block certain commands, such as VRFY and
    EXPN, set limits on the number of recipients, check against blackhole
    lists...

    I think Leythos have mentioned on several occasions that the Watchguard
    line of firewalls also uses proxies, at least for http.


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  16. Archived from groups: comp.security.firewalls (More info?)

    In article <6j9ad01jnoh069hs70d5llf73579vkmhk7@4ax.com>, mrozium@XSPAMX-
    yahoo.com says...
    > Leythos wrote:
    >
    > >The appliance has the proxy as one of the rules you can use - it's a
    > >better option than a system running a app to do it. Less chance of it
    > >breaking or being misconfigured - less chance of a parts failure too.
    >
    > Understand that I'm not trying to be argumentative, but claiming that
    > an appliance has the exclusive distinction of being less likely to
    > fail or be misconfigured is taking great liberties with the truth.
    > Anything that can be configured can be misconfigured. Just because
    > it's "point-and-click" doesn't make it less likely to be
    > misconfigured. The person responsible for the configuration is the
    > mitigating factor here, not software. Untrained people should not
    > configure firewalls. Parts failure is pretty much a non-issue. Do
    > you run your servers on appliances? I've heard those battle cries,
    > and quite frankly, neither hold much water today.

    Taking your statement - anything that can be configured can be
    "misconfigured" - there are MANY more things to misconfigured on a PC
    based OS/Firewall combination than a Appliance. Now that we've settled
    that a Appliance is less likely to be misconfigured, we have the number
    of parts - the appliance is almost always going to have less parts, and
    the parts it does have are more likely to be of higher quality than
    those in a PC/OS based firewall. Assuming the same level of competence
    in the individual, you are statistically less likely to have a problem
    with the appliance than the PC based firewall system.

    > >> >We've not had to update the firewalls, the rules, once in place, are
    > >> >something that covers all of the problems that already come up. If you
    > >> >block .EXE you never have to go back and update the firewall to keep
    > >> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
    > >>
    > >> I see. That would never work in any environment I've seen, as all the
    > >> companies and government entities I provide security for *must* be
    > >> able to download files, including executables. Especially for M$
    > >> updates. Users are only allowed to run approved programs, but that
    > >> rarely ever stops today's worms/viruses. Of course, that's one reason
    > >> why it's so important to employ a good anti-virus solution.
    > >
    > >AV is a day late in most cases - the definition files don't come out for
    > >the new viruses until a day after they hit the mainstream.
    >
    > I agree, but I still use it. Don't you? Besides, it's hardly a
    > firewall's job to provide anti-virus solutions. Otherwise, we'd be
    > constantly updating our firewalls, right?

    Where did you get the idea that I don't use AV software - I've used AV
    software on every computer everywhere. In fact, I happen to like the
    Symantec Small Business Edition 8.1 / Exchange platform. As I said, they
    are reactionary when it comes to NEW virus definitions. A properly
    configured attachment filter based on extensions will prevent more email
    based viruses than a definition file (due to the delay in creating
    definitions for new viruses).

    One thing that WG has done since the early days is provide the ability
    to filter email attachments - no other vendor offered this feature at
    the time, and many still don't. This one feature alone has saved more
    clients that any other measure I know of. Even when you have AV
    software, the updates come out AFTER the virus is known, and that can be
    several days or more. If you block executable attachments of all types
    then you are 200% ahead of the battle.

    > >The updates from MS can easily be configured to pass through the
    > >firewall - as I mentioned earlier, the blocking has exception lists and
    > >it's easy to configure exceptions for all blocking. We run updates every
    > >night.
    >
    > No, you didn't mention it. You said you block .EXE. I took you at
    > your word. To quote your earlier post:
    > >For those that did select it, they would not have had a problem - we
    > >don't allow .exe or other types through the HTTP proxy service in the
    > >firewall.
    > And then later in the same post you said:
    > >If you block .EXE you never have to go back and update the firewall to keep
    > >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
    >
    > I wondered how you managed not allowing downloading .exe files. Now
    > you have me wondering about why you would claim "set-and-forget", yet
    > talk about configuring exceptions. Quite perplexing indeed. Please
    > understand that I'm not trying to nit-pick you to death, but you've
    > made some great claims, and I was wondering if I should jump ship. I'm
    > far from being convinced. Maybe it's just me, but I see some glaring
    > inconsistencies in your statements.

    How can it be perplexing - you configure web filter exceptions for
    specific locations and then you can forget about it for a while. I have
    exceptions for windows update, MSDN Subscriber sections, Symantec, IBM's
    download site, HP's download site, and several others that are trusted
    sites. This is all common practice when you use web blocking.

    > >If you have your block rules setup properly your people will not be
    > >stopped from doing anything they are permitted to do, including updates,
    > >but they will be protected from almost all of the bad files out there.
    >
    > I couldn't agree more. But now you're straying waaaaay away from the
    > simple "Less chance of it breaking or being misconfigured...".
    > Unless, of course, your customers have simple needs when it comes to
    > downloading executable files. A single customer of mine may have more
    > than two dozen different programs on different computers and/or
    > servers requiring updates or patches from as many (or more) sites
    > and/or service providers. I guess my customer's requirements are much
    > different than yours. Or, maybe your appliance has a magical rule
    > applicator? Seriously, how would you manage without creating an
    > exception for each requirement?

    Nope, it's actually very simple - base set of rules, base set of known
    exceptions that almost everyone would know about anyway (at least any
    half-IT type would).

    I have customers in both the business and industrial sectors, developers
    and office workers, never been a problem. Sure, you might get a call
    next year saying that we've added this application suite to our
    development platform and can't get updates (because the company that
    does the updates uses raw .EXE files), so you remotely connect to the
    firewall, add the exception to their web filter, and it's done - 15
    minutes work.

    As for your 24 applications that need updates from as many companies,
    that's part of the initial assessment you are suppose to do before you
    install a firewall. You need to determine what the customers are doing
    on the net, what they need for protection, what they do inside the
    network, what departments need isolated from each others, etc.... Once
    you have your list you review it with the customer (or focus group) and
    lay out the basic rules and exceptions. I can configure web exceptions,
    24 of them, in about 5 minutes using the simple, easy, exception GUI
    that's included in the management interface (so could a user with a
    little experience).

    There is one other way to determine what exceptions are needed - block
    everything and wait for the complaints to start rolling in :)

    >
    > >Remember, virus updates are reactionary, they don't protect you until
    > >the virus is "known" but the vendor that provides your updates.
    >
    > I agree. You're preaching to the choir.
    >
    > >> Also, I'm surprised you don't update your firewalls (patches, not
    > >> rules). I'd sleep better knowing my firewalls and the computers
    > >> behind them were up-to-date.
    > >
    > >Up to date and needing an update are two different things - we don't
    > >blindly apply updates, even Windows updates, on every machine. When you
    > >look at the update, unless it does something for your needs you don't
    > >have to apply it.
    >
    > I'm with you there (again) 100%. But how do you find the time to
    > review and apply daily updates? Remember, you said:
    > >In general, every workstation at a generic desk updates every evening.
    > Like Lewis Carroll wrote: "Curiouser and Curiouser". Unless you mean
    > you only blindly apply M$ updates to generic boxes.

    Yep, most of the workstations in an office are not critical development
    systems, they are office workers systems - they get updated between 2AM
    and 5AM (spreading the internet load) every day. The critical machines,
    servers, development systems, get updated after a review/test is done,
    which has nothing to do with the firewall. We have ghost images of the
    office workstations, all of them are clones of each other, that can be
    restored in 10 minutes in most cases, so if a auto-updated patch from MS
    trashes them we can get them back to a last-configured roll out state
    quickly - and you can uninstall updates too.

    As for finding the time - it's part of the business, at least if you
    care about your production servers and your development team. As an
    example, I got a call that a client is switching to MAS-200, and want's
    to run it on their 2003 server. I took it to my office (MAS-200),
    installed 2003 on a test server, added the services that they are
    running, then did a couple installs/uninstalls of MAS-200. I took notes
    of everything and any issues (install was smooth). Now when I go back to
    the clients server there should be no unknowns reaching out to my neck.
    As for the time, we get paid for it, they expect us to keep them from
    having down-time and testing is one strong method for doing that.

    > >In the case of WG, there have not been any security
    > >related updates to the firmware in a long time. Yes, they've come out
    > >with newer rev's and nicer features, but the updates don't change
    > >anything in the security options that most of our clients setups.
    >
    > Ummm...ok. I'll take your word on that. I guess you don't use the
    > V-Class products. This is taken from their site:
    > >WatchGuard® Vclass products 22 April 2004
    > >WatchGuard Vclass Version 5.1.1 sp1 includes security enhancements
    > >to your product.
    > Maybe it's not a firmware update. Wait, what else could it be?

    And did you read the update - was the update something that applied to
    your situation? See, you can't just blindly apply updates, it's not good
    to apply them to critical machines unless they do something to fix a
    problem you are are having or that needs addressed right away. I've not
    installed any of the V-Class units for customers, even state agencies
    have not needed the power/features they have. The standard Firebox line
    has served everyone quite well these last 7+ years - now going to the X
    line.

    > To basically sum it up, we both are trying to accomplish the same task
    > (more or less), yet we use quite different methods and tools. For
    > instance, you choose an appliance as a single point-of-failure, and I
    > prefer to use specific tools for specific jobs. Choice is great,
    > wouldn't you say?

    Yes, choice is what it's all about. I look at the cost of maintaining
    the security system, licensing, etc... I choose appliances because I
    have never had one die on me yet, and I can hardly state that about a PC
    over the last 7+ years that I've been using the WG FB line of firewalls.
    For customers that can't afford to be down, they have a spare unit
    sitting, fully configured, online and ready to swap into place. For
    customers that can handle the down-time they just order another unit
    from the vendor or reseller and have it in 12 hours - the nice thing is
    that the configs are easily upgraded between versions so that you don't
    really have to do anything other than load the config and you're done.
    As I said, I've not had one FB go bad in all of these years, so it's not
    been a issue being a single point of failure. I have a firebox II in my
    home, it's almost 8 years old and works perfectly.

    Choice is great, but making the right choice is all that's important to
    customers.

    Don't get me wrong, I still like FW-1 and some of the others, but I've
    not seen a single instance where an appliance could not do the same
    thing.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  17. Archived from groups: comp.security.firewalls (More info?)

    In article <67sad0hqceuiik1du96kosv8cnllu8hsis@4ax.com>,
    badnews@hansenonline.net says...
    > I think Leythos have mentioned on several occasions that the Watchguard
    > line of firewalls also uses proxies, at least for http.

    Yes, for both HTTP and SMTP. It was the first vendor to provide this
    functionality in a box that I know of.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  18. Archived from groups: comp.security.firewalls (More info?)

    "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
    news:rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com...
    > Leythos wrote:

    > >One more thing that we do is set "Auto block sites that attempt to
    > >connect to this service" and we set rules for ports 135, 139, and 445
    > >for these auto-block sites. Just another way to make sure that infected
    > >machines don't get past the firewall.
    >
    > I'm with you there, 100%, but I go way past that. Time and rule wise.
    > Almost any kind of hostile activity will immediately ban that IP
    > address for roughly 3 days.
    >

    Ok, guys, I had a question about this practice. Certainly, I understand the
    intent, but don't you ever worry about the implicit denial-of-service
    potential of this. I can think of multiple reasons why I would not want to
    lock out a specific IP address for 3 days! Off of the top of my head: 1) the
    use of a spoofed IP address, 2) the use of corporate or ISP-based proxies,
    3) the use of corporate NAT'ing, and 4) the use of DHCP address leasing. It
    seems to me that any or all of these reasons could cause you to, in fact,
    deny access for potentially legitimate users; with the most egregious
    potential problem being from a proxied or NAT address that may represent
    large number of potential users. I understand the desire to actively block
    hostile traffic, but a 3 day filter certainly seems excessive to me... but
    maybe I'm just misunderstanding the policy, the situation, and the traffic
    actually involved.

    Alec
  19. Archived from groups: comp.security.firewalls (More info?)

    In article <j3oBc.2047$R62.1335@newssvr23.news.prodigy.com>,
    alec@nospam.com says...
    >
    > "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
    > news:rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com...
    > > Leythos wrote:
    >
    > > >One more thing that we do is set "Auto block sites that attempt to
    > > >connect to this service" and we set rules for ports 135, 139, and 445
    > > >for these auto-block sites. Just another way to make sure that infected
    > > >machines don't get past the firewall.
    > >
    > > I'm with you there, 100%, but I go way past that. Time and rule wise.
    > > Almost any kind of hostile activity will immediately ban that IP
    > > address for roughly 3 days.
    > >
    >
    > Ok, guys, I had a question about this practice. Certainly, I understand the
    > intent, but don't you ever worry about the implicit denial-of-service
    > potential of this. I can think of multiple reasons why I would not want to
    > lock out a specific IP address for 3 days! Off of the top of my head: 1) the
    > use of a spoofed IP address, 2) the use of corporate or ISP-based proxies,
    > 3) the use of corporate NAT'ing, and 4) the use of DHCP address leasing. It
    > seems to me that any or all of these reasons could cause you to, in fact,
    > deny access for potentially legitimate users; with the most egregious
    > potential problem being from a proxied or NAT address that may represent
    > large number of potential users. I understand the desire to actively block
    > hostile traffic, but a 3 day filter certainly seems excessive to me... but
    > maybe I'm just misunderstanding the policy, the situation, and the traffic
    > actually involved.

    Alec, I only set my bocks for 20 minutes, and I stick with the practice.
    As for the scenarios you suggested, if a corporate user is so hacked
    that they get 135, 139, or 445 out of their network to my firewalls I
    don't really want them to access me, at least I don't really care if
    they can make it to our sites or not.

    DHCP, most users are not going to be impacted by a 20 minute block, and
    if they are, again, I don't really care.

    Spoofed addresses - not seeing it as a problem in our block lists. In
    most cases, we only have 20~80 active blocks at any given time.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  20. Archived from groups: comp.security.firewalls (More info?)

    On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
    >
    >Taking your statement - anything that can be configured can be
    >"misconfigured" - there are MANY more things to misconfigured on a PC
    >based OS/Firewall combination than a Appliance. Now that we've settled
    >that a Appliance is less likely to be misconfigured, we have the number
    >of parts - the appliance is almost always going to have less parts, and
    >the parts it does have are more likely to be of higher quality than
    >those in a PC/OS based firewall. Assuming the same level of competence
    >in the individual, you are statistically less likely to have a problem
    >with the appliance than the PC based firewall system.
    >

    I think you'll find that the appliance will most likely be a cheaper
    solution compared to a windows computer running a firewall. For
    instance, a high quality server with quality parts is easily going to
    cost you quite a few dollars, in addition to the OS and the firewall
    software ... My first firewall cost me over $15 grand, plus annual
    support contracts.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  21. Archived from groups: comp.security.firewalls (More info?)

    In article <ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com>,
    badnews@hansenonline.net says...
    > On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
    > >
    > >Taking your statement - anything that can be configured can be
    > >"misconfigured" - there are MANY more things to misconfigured on a PC
    > >based OS/Firewall combination than a Appliance. Now that we've settled
    > >that a Appliance is less likely to be misconfigured, we have the number
    > >of parts - the appliance is almost always going to have less parts, and
    > >the parts it does have are more likely to be of higher quality than
    > >those in a PC/OS based firewall. Assuming the same level of competence
    > >in the individual, you are statistically less likely to have a problem
    > >with the appliance than the PC based firewall system.
    > >
    >
    > I think you'll find that the appliance will most likely be a cheaper
    > solution compared to a windows computer running a firewall. For
    > instance, a high quality server with quality parts is easily going to
    > cost you quite a few dollars, in addition to the OS and the firewall
    > software ... My first firewall cost me over $15 grand, plus annual
    > support contracts.

    Reminds me of the first CP FW-1 Nix firewall I installed many moon ago.
    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  22. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com:

    > On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
    >
    > I think you'll find that the appliance will most likely be a cheaper
    > solution compared to a windows computer running a firewall. For
    > instance, a high quality server with quality parts is easily going to
    > cost you quite a few dollars, in addition to the OS and the firewall
    > software ... My first firewall cost me over $15 grand, plus annual
    > support contracts.
    >

    If you are still talking about the 100 PC network with VPN, then maybe. I
    run a very small network. I installed IPCop on a machine that was sitting
    in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
    over 6 months my pc based personal firewalls have not registered a single
    incoming packet.

    Bob
  23. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 22 Jun 2004 14:21:01 GMT, bob spoketh

    >Lars M. Hansen <badnews@hansenonline.net> wrote in
    >news:ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com:
    >
    >> On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
    >>
    >> I think you'll find that the appliance will most likely be a cheaper
    >> solution compared to a windows computer running a firewall. For
    >> instance, a high quality server with quality parts is easily going to
    >> cost you quite a few dollars, in addition to the OS and the firewall
    >> software ... My first firewall cost me over $15 grand, plus annual
    >> support contracts.
    >>
    >
    >If you are still talking about the 100 PC network with VPN, then maybe. I
    >run a very small network. I installed IPCop on a machine that was sitting
    >in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
    >over 6 months my pc based personal firewalls have not registered a single
    >incoming packet.
    >
    >Bob

    Where did the computer come from? Did someone give it to you for free?

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  24. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns95106A0A82BD0j123w123x123@216.77.188.18>,
    Jwx1.nothing@bellsouth.net says...
    > If you are still talking about the 100 PC network with VPN, then maybe. I
    > run a very small network. I installed IPCop on a machine that was sitting
    > in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
    > over 6 months my pc based personal firewalls have not registered a single
    > incoming packet.

    What is your hourly rate?

    Hourly rate x 4 Hours is cost of your firewall setup.

    Cost of PC, resell cost, and $10 added for the NIC... While I know that
    this cost is insignificant, it's still a cost that you have to calculate
    in order to provide a fair example.

    I would venture a guess that a router/NAT ends up being cheaper, and
    costs less to run, produces less heat, and has a lower overall failure
    rate.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  25. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:lulgd01kv3s2s1kkj7646i4jpkigq8masr@4ax.com:

    >>If you are still talking about the 100 PC network with VPN, then
    >>maybe. I run a very small network. I installed IPCop on a machine that
    >>was sitting in a closet. Total cost was about 4 hours of my time and a
    >>$10 NIC. In over 6 months my pc based personal firewalls have not
    >>registered a single incoming packet.
    >>
    >>Bob
    >
    > Where did the computer come from? Did someone give it to you for free?
    >

    It was collecting dust in the corner of my office, having been rendered
    obsolete by Microsoft, Adobe, et. al.

    Bob
  26. Archived from groups: comp.security.firewalls (More info?)

    In article <MPG.1b4210d63201a9c298a685@news-server.columbus.rr.com>,
    void@nowhere.com says...
    > In article <Xns95106A0A82BD0j123w123x123@216.77.188.18>,
    > Jwx1.nothing@bellsouth.net says...
    > > If you are still talking about the 100 PC network with VPN, then maybe. I
    > > run a very small network. I installed IPCop on a machine that was sitting
    > > in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
    > > over 6 months my pc based personal firewalls have not registered a single
    > > incoming packet.
    >
    > What is your hourly rate?
    >
    > Hourly rate x 4 Hours is cost of your firewall setup.
    >
    > Cost of PC, resell cost, and $10 added for the NIC... While I know that
    > this cost is insignificant, it's still a cost that you have to calculate
    > in order to provide a fair example.
    >
    > I would venture a guess that a router/NAT ends up being cheaper, and
    > costs less to run, produces less heat, and has a lower overall failure
    > rate.

    Any reason you didn't want to calculate the actual cost of using the
    IPCop system for us? I posted the above question but you seem to have
    blown right by it.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  27. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
    wrote:
    >
    >It was collecting dust in the corner of my office, having been rendered
    >obsolete by Microsoft, Adobe, et. al.
    >

    What was it's fair market value, that is, the price you would be able
    to sell it on the open market?
  28. Archived from groups: comp.security.firewalls (More info?)

    In article <c37hd0h8on6bv8vg4hvjh3c203olms90k5@4ax.com>,
    nospam@shopping.nowthor.com says...
    > On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
    > wrote:
    > >
    > >It was collecting dust in the corner of my office, having been rendered
    > >obsolete by Microsoft, Adobe, et. al.
    > >
    >
    > What was it's fair market value, that is, the price you would be able
    > to sell it on the open market?

    I asked that question and the hourly rate (since he stated 4 hours) so
    that we could calculate the real cost, but nothing has been posted yet.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  29. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.com> wrote in
    news:MPG.1b425fbf1804576398a68a@news-server.columbus.rr.com:

    >>
    >> What is your hourly rate?
    >>
    >> Hourly rate x 4 Hours is cost of your firewall setup.
    >>
    >> Cost of PC, resell cost, and $10 added for the NIC... While I know
    >> that this cost is insignificant, it's still a cost that you have to
    >> calculate in order to provide a fair example.
    >>
    >> I would venture a guess that a router/NAT ends up being cheaper, and
    >> costs less to run, produces less heat, and has a lower overall
    >> failure rate.
    >
    > Any reason you didn't want to calculate the actual cost of using the
    > IPCop system for us? I posted the above question but you seem to have
    > blown right by it.
    >

    Sorry I couldn't get back to you right away -- the other isp is having
    another one of it's frequent newsgroup troubles.

    In order to truly compare the costs, all of expenses and time spent would
    need to be considered. We frequently do such analysis at work, even to
    the point of spending more money on the analysis than the equipment
    eventually costs.

    So as I said in my earlier post, it took around 4 hours to download setup
    and configure IPCop. If I had gone the route of purchasing a standalone
    firewall appliance, I would have spent more than 4 hours researching to
    determine which features were important in a firewall appliance, how to
    accurately compare them, and how to compare the offerings of the various
    companies, and then actually select a model to recommend, make the
    suggestion to my employer, get authorization, find a vendor to buy it
    from and obtain it. After I finally got it, I would need to spend at
    least some time reading the instructions and learning how to set it up,
    too. Some of that time would be exactly the same time that was used in
    setting up IPCop.

    Looking at completed Ebay auctions, the Pentium 133 Mhz machine that
    hosts the firewall is worth a good deal less than the $10 NIC I put into
    it.

    Bob


    --
    Delete the inverse SPAM to reply
  30. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:lulgd01kv3s2s1kkj7646i4jpkigq8masr@4ax.com:


    >>If you are still talking about the 100 PC network with VPN, then
    >>maybe. I run a very small network. I installed IPCop on a machine that
    >>was sitting in a closet. Total cost was about 4 hours of my time and a
    >>$10 NIC. In over 6 months my pc based personal firewalls have not
    >>registered a single incoming packet.
    >>
    >>Bob
    >
    > Where did the computer come from? Did someone give it to you for free?
    >
    > Lars M. Hansen
    > http://www.hansenonline.net
    > (replace 'badnews' with 'news' in e-mail address)

    It was on the floor of my office, collecting dust. In most office
    situations it probably would have been discarded long ago. As an old 133Mhz
    pentium without even PCI slots, it has approximately zero market value.

    Bob

    --
    Delete the inverse SPAM to reply
  31. Archived from groups: comp.security.firewalls (More info?)

    shopping.nowthor.com <nospam@shopping.nowthor.com> wrote in
    news:c37hd0h8on6bv8vg4hvjh3c203olms90k5@4ax.com:

    > On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
    > wrote:
    >>
    >>It was collecting dust in the corner of my office, having been rendered
    >>obsolete by Microsoft, Adobe, et. al.
    >>
    >
    > What was it's fair market value, that is, the price you would be able
    > to sell it on the open market?

    Two 133Mhz pentiums have completed auctions on Ebay. One sold for $5.75.
    The other did not sell for $1.

    It would literally cost more to discard it than it is worth.

    Bob

    --
    Delete the inverse SPAM to reply
  32. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns9511CB87DC1D8bobatcarolnet@207.69.154.202>, usenetMAPS@
    2fiddles.com says...
    > So as I said in my earlier post, it took around 4 hours to download setup
    > and configure IPCop. If I had gone the route of purchasing a standalone
    > firewall appliance, I would have spent more than 4 hours researching to
    > determine which features were important in a firewall appliance, how to
    > accurately compare them, and how to compare the offerings of the various
    > companies, and then actually select a model to recommend, make the
    > suggestion to my employer, get authorization, find a vendor to buy it
    > from and obtain it. After I finally got it, I would need to spend at
    > least some time reading the instructions and learning how to set it up,
    > too. Some of that time would be exactly the same time that was used in
    > setting up IPCop.

    How much time did you spend determining that an Open Source product was
    right for you?

    How much time did you spend determining that IPCop provided the features
    you wanted?

    How much time did you spend researching how well it protected other
    companies/users?

    How much time did you spend learning to secure the OS you installed it
    on?

    How much time did you spend learning how to install the OS you installed
    it on?

    And the list goes on....

    With the appliances, for the most part, it's about 1 hour to decide on
    which one meets your needs. Looking on CDW takes about 10 minutes,
    getting a PO setup takes about 15 minutes of your time, not counting
    time for the accounting dept to process it, and ordering it takes about
    10 minutes - so about an hour to purchase it.

    Configuration - about the same amount of time as IPCop.

    OS/Platform installation - couple hours, then a couple hours to learn to
    secure your OS (not one install of Linux is secure until you are sure
    what you've installed)....

    What I'm trying to point out here is that even a Linux box with IPCop
    and it's limited feature set costs money, and time, it's not free just
    because you can download it for free.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  33. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.com> wrote in
    news:MPG.1b43ef2d2c17eb7198a69e@news-server.columbus.rr.com:

    > With the appliances, for the most part, it's about 1 hour to decide on
    > which one meets your needs. Looking on CDW takes about 10 minutes,
    > getting a PO setup takes about 15 minutes of your time, not counting
    > time for the accounting dept to process it, and ordering it takes
    > about 10 minutes - so about an hour to purchase it.
    >
    > Configuration - about the same amount of time as IPCop.
    >
    > OS/Platform installation - couple hours, then a couple hours to learn
    > to secure your OS (not one install of Linux is secure until you are
    > sure what you've installed)....
    >
    > What I'm trying to point out here is that even a Linux box with IPCop
    > and it's limited feature set costs money, and time, it's not free just
    > because you can download it for free.
    >

    Not one side fits all. I never said it was free, just less expensive in
    my case; if we could make decisions as fast as you can, then a different
    solution might be better for us. Doing research and learning new things
    that might benefit our company is always rewarded; finding new ways to
    spend cash is not (not always, that is). If IPCop or something like it
    were not available as an alternative, our network would probably still
    not have any firewall except the router(NAT).

    Based on several things you've written, I think you might not completely
    understand IPCop. It is not a firewall application that runs on Linux.
    It is a complete Linux distrobution, designed to turn an old PC into a
    firewall appliance. There are no mail, ftp, or other servers; there are
    no nothings. The ISO is a mere 20 Mb. By default, there are no openings
    in it.

    I find it very useful because I can easily configure it to deny IP
    ranges and ports, I can easily configure a hosts list for the whole
    network, and I can easily back up my entire configuration with a windows
    machine. In the event of hardware failure or security breach, I can
    simply reinstall the the software from the bootable CD (even on a
    differnt computer) and then restore my configuration.

    The thing that actually took me the longest when I installed it was
    figuring out that I needed to use two different networks for RED and
    GREEN. Once I got that it was smooth sailing.

    Bob

    --
    Delete the inverse SPAM to reply
Ask a new question

Read More

Firewalls Hardware Security Networking