Sign in with
Sign up | Sign in
Your question

Hardware Firewall Recommendation

Last response: in Networking
Share
Anonymous
a b 8 Security
June 16, 2004 8:00:47 PM

Archived from groups: comp.security.firewalls (More info?)

Greetings,

I've been charged with the task of picking out a firewall appliance for
a group of about 100 systems. We don't need anything too fancy, but we
would like an easy to use VPN setup. I can spend ~$1000. If anybody
could point me to a few models to look at, that'd be great. I've
searched for reviews and feature comparisons, but I haven't had much
luck. Thanks!

--Steve
Anonymous
a b 8 Security
June 16, 2004 10:42:24 PM

Archived from groups: comp.security.firewalls (More info?)

Steve,

I've worked with a WatchGuard Firebox recently. I was managing a WAN
comprised of just a half dozen LANs connected by frame-relay--just a small
network really. However, I must say I was rather impressed with the
Firebox--great interface, set-and-forget configuration, etc. If you haven't
been to their Web site, they have a Flash presentation. I think this is the
link:

http://www.watchguard.com

Best regards,

Todd Shillam
Information Technology Consultant
Shillam Technology
WWW: http://shillamtechnology.point2this.com




"Steve Taylor" <staylor@uidaho.edu> wrote in message
news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
Greetings,

I've been charged with the task of picking out a firewall appliance for
a group of about 100 systems. We don't need anything too fancy, but we
would like an easy to use VPN setup. I can spend ~$1000. If anybody
could point me to a few models to look at, that'd be great. I've
searched for reviews and feature comparisons, but I haven't had much
luck. Thanks!

--Steve
Anonymous
a b 8 Security
June 17, 2004 4:01:28 AM

Archived from groups: comp.security.firewalls (More info?)

In article <caqjf0$v2$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
says...
> Greetings,
>
> I've been charged with the task of picking out a firewall appliance for
> a group of about 100 systems. We don't need anything too fancy, but we
> would like an easy to use VPN setup. I can spend ~$1000. If anybody
> could point me to a few models to look at, that'd be great. I've
> searched for reviews and feature comparisons, but I haven't had much
> luck. Thanks!

The firebox III/700 from WatchGuard is a good unit, but it's about $1600
retail (USD). It has everything you could need including VPN remote user
and branch office VPN ability. One of the nicest features, if you have
your own email server, is the ability to strip attachments by extension
from inbound email (before it gets to the server) - which prevents most
virus's and worms from getting to your local computers.

The Sonic units are also good, but I don't have current pricing on them.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Related resources
Anonymous
a b 8 Security
June 17, 2004 5:05:01 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 16:00:47 -0700, Steve Taylor <staylor@uidaho.edu>
wrote:
>
>I've been charged with the task of picking out a firewall appliance for
>a group of about 100 systems. We don't need anything too fancy, but we
>would like an easy to use VPN setup. I can spend ~$1000. If anybody
>could point me to a few models to look at, that'd be great. I've
>searched for reviews and feature comparisons, but I haven't had much
>luck. Thanks!
>

As a reseller of the ZyXEL ZyWALL series of Firewall Appliances, I
can't help it but recommend the ZyWALL 70.

You may find more info about it at the ZyXEL website:
http://us.zyxel.com/products/model.php?indexcate=107327...

For pricing, have a look at our website:
http://shopping.nowthor.com/0760559104146.html

Thanks!

Carlos Antunes
Nowthor Corporation
June 17, 2004 10:13:40 AM

Archived from groups: comp.security.firewalls (More info?)

"Steve Taylor" <staylor@uidaho.edu> wrote in message
news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
> Greetings,
>
> I've been charged with the task of picking out a firewall appliance for
> a group of about 100 systems. We don't need anything too fancy, but we
> would like an easy to use VPN setup. I can spend ~$1000. If anybody
> could point me to a few models to look at, that'd be great. I've
> searched for reviews and feature comparisons, but I haven't had much
> luck. Thanks!
>
> --Steve

Unfortunately, for a network of that size, I think that realistically you
should probably look at spending closer to about twice that, more in the
$1500 - $2000 range. 100 systems is a decent number of systems, and you want
gear that is designed for that type of environment rather than trying to
shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
gear you might want to check out:

Sonicwall Pro 2040
NetScreen 25 Baseline
Watchguard Firebox X700
Anonymous
a b 8 Security
June 17, 2004 12:22:55 PM

Archived from groups: comp.security.firewalls (More info?)

Alec wrote:

> "Steve Taylor" <staylor@uidaho.edu> wrote in message
> news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
>
>>Greetings,
>>
>>I've been charged with the task of picking out a firewall appliance for
>>a group of about 100 systems. We don't need anything too fancy, but we
>>would like an easy to use VPN setup. I can spend ~$1000. If anybody
>>could point me to a few models to look at, that'd be great. I've
>>searched for reviews and feature comparisons, but I haven't had much
>>luck. Thanks!
>>
>>--Steve
>
>
> Unfortunately, for a network of that size, I think that realistically you
> should probably look at spending closer to about twice that, more in the
> $1500 - $2000 range. 100 systems is a decent number of systems, and you want
> gear that is designed for that type of environment rather than trying to
> shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
> gear you might want to check out:
>
> Sonicwall Pro 2040
> NetScreen 25 Baseline
> Watchguard Firebox X700
>
>

Everybody, thanks for the suggestions so far.

I think I could manage $1500-$2000. The Firebox certainly looks like a
good candidate. Anybody else have an opinion on the Firebox?

Thanks.

--Steve
Anonymous
a b 8 Security
June 17, 2004 11:28:17 PM

Archived from groups: comp.security.firewalls (More info?)

In article <casd0g$h8$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
says...
> I think I could manage $1500-$2000. The Firebox certainly looks like a
> good candidate. Anybody else have an opinion on the Firebox?

I hate to follow my own recommendation, but I've installed them at two
state agencies, a utility company, a medical center, and about 30
factories. I've also installed them at many assisted living centers,
residences, small businesses, and know of one university that uses them
in several areas.

I have one in my own office and could not imagine anything better for
the money.

If you get one, and you have your own email server, make sure that you
look into the SMTP Proxy for filtering attachments on inbound email - it
will removed infectious attachments based on file extension (not
actually detecting a virus) which has kept every client from being hit
by any of the email viruses in the last 5 years.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 18, 2004 2:53:21 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>look into the SMTP Proxy for filtering attachments on inbound email - it
>will removed infectious attachments based on file extension (not
>actually detecting a virus) which has kept every client from being hit
>by any of the email viruses in the last 5 years.

How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
addresses and had no problems. Logged several attempts from (l)users
clicking on the e-mail links, but their interest died as the link
timed out.

Also, I believe you manage multiple firewalls, so how do you push
updates like that to them?
Anonymous
a b 8 Security
June 18, 2004 4:53:05 PM

Archived from groups: comp.security.firewalls (More info?)

In article <77p4d0ha0ms0ca1hdhrrbfd2njugm59tdh@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >look into the SMTP Proxy for filtering attachments on inbound email - it
> >will removed infectious attachments based on file extension (not
> >actually detecting a virus) which has kept every client from being hit
> >by any of the email viruses in the last 5 years.
>
> How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
> addresses and had no problems. Logged several attempts from (l)users
> clicking on the e-mail links, but their interest died as the link
> timed out.

Here is a description (from Symantec) of how it works:

W32.Wallon.A@mm arrives as an email with a link in the message body. The
email uses an Internet Explorer vulnerability, described in Microsoft
Security Bulletin MS04-004, to display an obfuscated link. Clicking the
link redirects the user to a Web site to download "wmplayer.exe" into
the Windows Media Player folder. The Web site may attempt to exploit an
Outlook Express vulnerability, described in Microsoft Security Bulletin
MS04-013, to download and execute the file. Because the worm attempts to
overwrite the Windows Media Player executable, any attempts to run
Windows Media Player on an infected computer will execute a copy of the
worm.


Our users would have seen the email, since there was nothing but a link
to it in a site, most would have just deleted the email - we send out
messages every month about following links to things outside their
company that come in email.

For those that did select it, they would not have had a problem - we
don't allow .exe or other types through the HTTP proxy service in the
firewall.

The WatchGuard firewalls have a HTTP proxy service that lets me
deny/approve the following:

1) Settings:
Remove Client Connection Info
Remove Cookies
Deny Submissions
Deny Java Applets
Deny ActiveX Applets
Remove unknown headers
Log accounting/auditing information
Require content type
Idle timeout xxxxxx seconds

2) Safe Content:
Allow only safe content types
(you can add types based on mime specs)
Deny Unsafe Path Patterns
(add site paths you want to block, not sites)

3) Web Blocker - used to specify what content can be viewed
4) Web Blocker Schedule - enable/disable at programmed times
5) Web Blocker Operational Controls (what to filter when ON)
6) Web Blocker non-Operational Controls (what to filter when OFF)
7) WB Exceptions (permitted, denied) Add IP as needed

For SMTP I have two filters - one is the Firewall SMTP service and the
other is (depending on what email server they have, is to use Symantec
Small Business Edition with Exchange Filter).

WG SMTP Options includes some of the following:

INBOUND RULES
1) General
Idle Timeout (XXXXXX seconds)
Max Recipients (XXXX)
Maximum Size (xxxxxxx KB)
Line Length (xxxxx bytes)
Address Validation (RFC-822 Compliance)
Allow Characters (list of chars you permit in email addresses)
Allow 8-Bit characters
Allow Source-Routed Addresses
2) Content Types
Allow only safe content types
(specify permitted types)
Deny Attachments based on file name patterns
(you can specify any pattern, includes wildcards)


There are many more, but you get the idea from this set. With these two
rules (and I didn't show how I have them setup, sorry) We've been able
to block 100% of all virus's and worms to date.

> Also, I believe you manage multiple firewalls, so how do you push
> updates like that to them?

We've not had to update the firewalls, the rules, once in place, are
something that covers all of the problems that already come up. If you
block .EXE you never have to go back and update the firewall to keep
users from downloading and running .EXE over HTTP/HTTPS or SMTP.

One more thing that we do is set "Auto block sites that attempt to
connect to this service" and we set rules for ports 135, 139, and 445
for these auto-block sites. Just another way to make sure that infected
machines don't get past the firewall.

Most of our customers either installed Exchange 2000 or already had
Exchange servers, the SBE/Exchange filter from Symantec has done wonders
for those users - even without the firewall it includes RBL functions,
key word filters, subject and body word filtering, virus scanning,
attachment blocking, etc... Great product for Exchange.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 19, 2004 4:19:57 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.

Hmmm...I'm not so sure I'd feel safe running non-firewall programs
like a HTTP proxy on my firewall. I feel more comfortable using Squid
or ISA behind the firewall on a separate device.

>We've not had to update the firewalls, the rules, once in place, are
>something that covers all of the problems that already come up. If you
>block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.

I see. That would never work in any environment I've seen, as all the
companies and government entities I provide security for *must* be
able to download files, including executables. Especially for M$
updates. Users are only allowed to run approved programs, but that
rarely ever stops today's worms/viruses. Of course, that's one reason
why it's so important to employ a good anti-virus solution.

Also, I'm surprised you don't update your firewalls (patches, not
rules). I'd sleep better knowing my firewalls and the computers
behind them were up-to-date.

>One more thing that we do is set "Auto block sites that attempt to
>connect to this service" and we set rules for ports 135, 139, and 445
>for these auto-block sites. Just another way to make sure that infected
>machines don't get past the firewall.

I'm with you there, 100%, but I go way past that. Time and rule wise.
Almost any kind of hostile activity will immediately ban that IP
address for roughly 3 days.
Anonymous
a b 8 Security
June 19, 2004 11:21:03 AM

Archived from groups: comp.security.firewalls (More info?)

On 19 Jun 2004 00:19:57 -0500, Micheal Robert Zium spoketh

>Leythos wrote:
>
>>For those that did select it, they would not have had a problem - we
>>don't allow .exe or other types through the HTTP proxy service in the
>>firewall.
>
>Hmmm...I'm not so sure I'd feel safe running non-firewall programs
>like a HTTP proxy on my firewall. I feel more comfortable using Squid
>or ISA behind the firewall on a separate device.

Some firewalls use application proxies rather than packet filters. So,
that would make it very much a "firewall" program on the firewall.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
June 19, 2004 4:54:50 PM

Archived from groups: comp.security.firewalls (More info?)

In article <rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >For those that did select it, they would not have had a problem - we
> >don't allow .exe or other types through the HTTP proxy service in the
> >firewall.
>
> Hmmm...I'm not so sure I'd feel safe running non-firewall programs
> like a HTTP proxy on my firewall. I feel more comfortable using Squid
> or ISA behind the firewall on a separate device.

The appliance has the proxy as one of the rules you can use - it's a
better option than a system running a app to do it. Less chance of it
breaking or being misconfigured - less chance of a parts failure too.

> >We've not had to update the firewalls, the rules, once in place, are
> >something that covers all of the problems that already come up. If you
> >block .EXE you never have to go back and update the firewall to keep
> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>
> I see. That would never work in any environment I've seen, as all the
> companies and government entities I provide security for *must* be
> able to download files, including executables. Especially for M$
> updates. Users are only allowed to run approved programs, but that
> rarely ever stops today's worms/viruses. Of course, that's one reason
> why it's so important to employ a good anti-virus solution.

AV is a day late in most cases - the definition files don't come out for
the new viruses until a day after they hit the mainstream.

The updates from MS can easily be configured to pass through the
firewall - as I mentioned earlier, the blocking has exception lists and
it's easy to configure exceptions for all blocking. We run updates every
night.

If you have your block rules setup properly your people will not be
stopped from doing anything they are permitted to do, including updates,
but they will be protected from almost all of the bad files out there.
Remember, virus updates are reactionary, they don't protect you until
the virus is "known" but the vendor that provides your updates.

> Also, I'm surprised you don't update your firewalls (patches, not
> rules). I'd sleep better knowing my firewalls and the computers
> behind them were up-to-date.

Up to date and needing an update are two different things - we don't
blindly apply updates, even Windows updates, on every machine. When you
look at the update, unless it does something for your needs you don't
have to apply it. In the case of WG, there have not been any security
related updates to the firmware in a long time. Yes, they've come out
with newer rev's and nicer features, but the updates don't change
anything in the security options that most of our clients setups.

I'm sure you've seen updates, esp. from MS, cause problems - In general,
every workstation at a generic desk updates every evening. Developers
workstations update as the update is tested on a test machine. Servers
get updates after the update is tested also.

> >One more thing that we do is set "Auto block sites that attempt to
> >connect to this service" and we set rules for ports 135, 139, and 445
> >for these auto-block sites. Just another way to make sure that infected
> >machines don't get past the firewall.
>
> I'm with you there, 100%, but I go way past that. Time and rule wise.
> Almost any kind of hostile activity will immediately ban that IP
> address for roughly 3 days.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 20, 2004 4:39:11 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>Some firewalls use application proxies rather than packet filters. So,
>that would make it very much a "firewall" program on the firewall.

Really? Could you provide some examples? Thank you.
Anonymous
a b 8 Security
June 20, 2004 5:08:31 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>The appliance has the proxy as one of the rules you can use - it's a
>better option than a system running a app to do it. Less chance of it
>breaking or being misconfigured - less chance of a parts failure too.

Understand that I'm not trying to be argumentative, but claiming that
an appliance has the exclusive distinction of being less likely to
fail or be misconfigured is taking great liberties with the truth.
Anything that can be configured can be misconfigured. Just because
it's "point-and-click" doesn't make it less likely to be
misconfigured. The person responsible for the configuration is the
mitigating factor here, not software. Untrained people should not
configure firewalls. Parts failure is pretty much a non-issue. Do
you run your servers on appliances? I've heard those battle cries,
and quite frankly, neither hold much water today.

>> >We've not had to update the firewalls, the rules, once in place, are
>> >something that covers all of the problems that already come up. If you
>> >block .EXE you never have to go back and update the firewall to keep
>> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>>
>> I see. That would never work in any environment I've seen, as all the
>> companies and government entities I provide security for *must* be
>> able to download files, including executables. Especially for M$
>> updates. Users are only allowed to run approved programs, but that
>> rarely ever stops today's worms/viruses. Of course, that's one reason
>> why it's so important to employ a good anti-virus solution.
>
>AV is a day late in most cases - the definition files don't come out for
>the new viruses until a day after they hit the mainstream.

I agree, but I still use it. Don't you? Besides, it's hardly a
firewall's job to provide anti-virus solutions. Otherwise, we'd be
constantly updating our firewalls, right?

>The updates from MS can easily be configured to pass through the
>firewall - as I mentioned earlier, the blocking has exception lists and
>it's easy to configure exceptions for all blocking. We run updates every
>night.

No, you didn't mention it. You said you block .EXE. I took you at
your word. To quote your earlier post:
>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.
And then later in the same post you said:
>If you block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.
I wondered how you managed not allowing downloading .exe files. Now
you have me wondering about why you would claim "set-and-forget", yet
talk about configuring exceptions. Quite perplexing indeed. Please
understand that I'm not trying to nit-pick you to death, but you've
made some great claims, and I was wondering if I should jump ship. I'm
far from being convinced. Maybe it's just me, but I see some glaring
inconsistencies in your statements.

>If you have your block rules setup properly your people will not be
>stopped from doing anything they are permitted to do, including updates,
>but they will be protected from almost all of the bad files out there.

I couldn't agree more. But now you're straying waaaaay away from the
simple "Less chance of it breaking or being misconfigured...".
Unless, of course, your customers have simple needs when it comes to
downloading executable files. A single customer of mine may have more
than two dozen different programs on different computers and/or
servers requiring updates or patches from as many (or more) sites
and/or service providers. I guess my customer's requirements are much
different than yours. Or, maybe your appliance has a magical rule
applicator? Seriously, how would you manage without creating an
exception for each requirement?

>Remember, virus updates are reactionary, they don't protect you until
>the virus is "known" but the vendor that provides your updates.

I agree. You're preaching to the choir.

>> Also, I'm surprised you don't update your firewalls (patches, not
>> rules). I'd sleep better knowing my firewalls and the computers
>> behind them were up-to-date.
>
>Up to date and needing an update are two different things - we don't
>blindly apply updates, even Windows updates, on every machine. When you
>look at the update, unless it does something for your needs you don't
>have to apply it.

I'm with you there (again) 100%. But how do you find the time to
review and apply daily updates? Remember, you said:
>In general, every workstation at a generic desk updates every evening.
Like Lewis Carroll wrote: "Curiouser and Curiouser". Unless you mean
you only blindly apply M$ updates to generic boxes.

>In the case of WG, there have not been any security
>related updates to the firmware in a long time. Yes, they've come out
>with newer rev's and nicer features, but the updates don't change
>anything in the security options that most of our clients setups.

Ummm...ok. I'll take your word on that. I guess you don't use the
V-Class products. This is taken from their site:
>WatchGuard® Vclass products 22 April 2004
>WatchGuard Vclass Version 5.1.1 sp1 includes security enhancements
>to your product.
Maybe it's not a firmware update. Wait, what else could it be?


To basically sum it up, we both are trying to accomplish the same task
(more or less), yet we use quite different methods and tools. For
instance, you choose an appliance as a single point-of-failure, and I
prefer to use specific tools for specific jobs. Choice is great,
wouldn't you say?
June 20, 2004 7:30:19 AM

Archived from groups: comp.security.firewalls (More info?)

Take a look at smoothwall express (free GPL) at www.smoothwall.org &
Smoothwall Corporate Server (Commercial, supports express).

I personally use express at home and have had no troubles, i would
thouroughly recommend smoothwall to anybody in need of a GREAT
firewall.

samuel
Anonymous
a b 8 Security
June 20, 2004 11:20:19 AM

Archived from groups: comp.security.firewalls (More info?)

On 20 Jun 2004 00:39:11 -0500, Micheal Robert Zium spoketh

>Lars M. Hansen wrote:
>
>>Some firewalls use application proxies rather than packet filters. So,
>>that would make it very much a "firewall" program on the firewall.
>
>Really? Could you provide some examples? Thank you.

Symantec Enterprise Firewall (formerly Axent Raptor) uses proxies for
several protocols, such as HTTP, SMTP, FTP, Telnet and possibly H.232.
This allows for better control of what goes through the firewall, and
that it complies with protocol specifications.

For HTTP, that means you can block "port" while allow "get", as well as
specifying url filters to prevent uploads/downloads of specific urls
(one that was recommenced was to filter out cmd.exe to block out
Nimda.Code Red).

For SMTP, you had the option to block certain commands, such as VRFY and
EXPN, set limits on the number of recipients, check against blackhole
lists...

I think Leythos have mentioned on several occasions that the Watchguard
line of firewalls also uses proxies, at least for http.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
June 20, 2004 5:23:35 PM

Archived from groups: comp.security.firewalls (More info?)

In article <6j9ad01jnoh069hs70d5llf73579vkmhk7@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >The appliance has the proxy as one of the rules you can use - it's a
> >better option than a system running a app to do it. Less chance of it
> >breaking or being misconfigured - less chance of a parts failure too.
>
> Understand that I'm not trying to be argumentative, but claiming that
> an appliance has the exclusive distinction of being less likely to
> fail or be misconfigured is taking great liberties with the truth.
> Anything that can be configured can be misconfigured. Just because
> it's "point-and-click" doesn't make it less likely to be
> misconfigured. The person responsible for the configuration is the
> mitigating factor here, not software. Untrained people should not
> configure firewalls. Parts failure is pretty much a non-issue. Do
> you run your servers on appliances? I've heard those battle cries,
> and quite frankly, neither hold much water today.

Taking your statement - anything that can be configured can be
"misconfigured" - there are MANY more things to misconfigured on a PC
based OS/Firewall combination than a Appliance. Now that we've settled
that a Appliance is less likely to be misconfigured, we have the number
of parts - the appliance is almost always going to have less parts, and
the parts it does have are more likely to be of higher quality than
those in a PC/OS based firewall. Assuming the same level of competence
in the individual, you are statistically less likely to have a problem
with the appliance than the PC based firewall system.

> >> >We've not had to update the firewalls, the rules, once in place, are
> >> >something that covers all of the problems that already come up. If you
> >> >block .EXE you never have to go back and update the firewall to keep
> >> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
> >>
> >> I see. That would never work in any environment I've seen, as all the
> >> companies and government entities I provide security for *must* be
> >> able to download files, including executables. Especially for M$
> >> updates. Users are only allowed to run approved programs, but that
> >> rarely ever stops today's worms/viruses. Of course, that's one reason
> >> why it's so important to employ a good anti-virus solution.
> >
> >AV is a day late in most cases - the definition files don't come out for
> >the new viruses until a day after they hit the mainstream.
>
> I agree, but I still use it. Don't you? Besides, it's hardly a
> firewall's job to provide anti-virus solutions. Otherwise, we'd be
> constantly updating our firewalls, right?

Where did you get the idea that I don't use AV software - I've used AV
software on every computer everywhere. In fact, I happen to like the
Symantec Small Business Edition 8.1 / Exchange platform. As I said, they
are reactionary when it comes to NEW virus definitions. A properly
configured attachment filter based on extensions will prevent more email
based viruses than a definition file (due to the delay in creating
definitions for new viruses).

One thing that WG has done since the early days is provide the ability
to filter email attachments - no other vendor offered this feature at
the time, and many still don't. This one feature alone has saved more
clients that any other measure I know of. Even when you have AV
software, the updates come out AFTER the virus is known, and that can be
several days or more. If you block executable attachments of all types
then you are 200% ahead of the battle.

> >The updates from MS can easily be configured to pass through the
> >firewall - as I mentioned earlier, the blocking has exception lists and
> >it's easy to configure exceptions for all blocking. We run updates every
> >night.
>
> No, you didn't mention it. You said you block .EXE. I took you at
> your word. To quote your earlier post:
> >For those that did select it, they would not have had a problem - we
> >don't allow .exe or other types through the HTTP proxy service in the
> >firewall.
> And then later in the same post you said:
> >If you block .EXE you never have to go back and update the firewall to keep
> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>
> I wondered how you managed not allowing downloading .exe files. Now
> you have me wondering about why you would claim "set-and-forget", yet
> talk about configuring exceptions. Quite perplexing indeed. Please
> understand that I'm not trying to nit-pick you to death, but you've
> made some great claims, and I was wondering if I should jump ship. I'm
> far from being convinced. Maybe it's just me, but I see some glaring
> inconsistencies in your statements.

How can it be perplexing - you configure web filter exceptions for
specific locations and then you can forget about it for a while. I have
exceptions for windows update, MSDN Subscriber sections, Symantec, IBM's
download site, HP's download site, and several others that are trusted
sites. This is all common practice when you use web blocking.

> >If you have your block rules setup properly your people will not be
> >stopped from doing anything they are permitted to do, including updates,
> >but they will be protected from almost all of the bad files out there.
>
> I couldn't agree more. But now you're straying waaaaay away from the
> simple "Less chance of it breaking or being misconfigured...".
> Unless, of course, your customers have simple needs when it comes to
> downloading executable files. A single customer of mine may have more
> than two dozen different programs on different computers and/or
> servers requiring updates or patches from as many (or more) sites
> and/or service providers. I guess my customer's requirements are much
> different than yours. Or, maybe your appliance has a magical rule
> applicator? Seriously, how would you manage without creating an
> exception for each requirement?

Nope, it's actually very simple - base set of rules, base set of known
exceptions that almost everyone would know about anyway (at least any
half-IT type would).

I have customers in both the business and industrial sectors, developers
and office workers, never been a problem. Sure, you might get a call
next year saying that we've added this application suite to our
development platform and can't get updates (because the company that
does the updates uses raw .EXE files), so you remotely connect to the
firewall, add the exception to their web filter, and it's done - 15
minutes work.

As for your 24 applications that need updates from as many companies,
that's part of the initial assessment you are suppose to do before you
install a firewall. You need to determine what the customers are doing
on the net, what they need for protection, what they do inside the
network, what departments need isolated from each others, etc.... Once
you have your list you review it with the customer (or focus group) and
lay out the basic rules and exceptions. I can configure web exceptions,
24 of them, in about 5 minutes using the simple, easy, exception GUI
that's included in the management interface (so could a user with a
little experience).

There is one other way to determine what exceptions are needed - block
everything and wait for the complaints to start rolling in :) 

>
> >Remember, virus updates are reactionary, they don't protect you until
> >the virus is "known" but the vendor that provides your updates.
>
> I agree. You're preaching to the choir.
>
> >> Also, I'm surprised you don't update your firewalls (patches, not
> >> rules). I'd sleep better knowing my firewalls and the computers
> >> behind them were up-to-date.
> >
> >Up to date and needing an update are two different things - we don't
> >blindly apply updates, even Windows updates, on every machine. When you
> >look at the update, unless it does something for your needs you don't
> >have to apply it.
>
> I'm with you there (again) 100%. But how do you find the time to
> review and apply daily updates? Remember, you said:
> >In general, every workstation at a generic desk updates every evening.
> Like Lewis Carroll wrote: "Curiouser and Curiouser". Unless you mean
> you only blindly apply M$ updates to generic boxes.

Yep, most of the workstations in an office are not critical development
systems, they are office workers systems - they get updated between 2AM
and 5AM (spreading the internet load) every day. The critical machines,
servers, development systems, get updated after a review/test is done,
which has nothing to do with the firewall. We have ghost images of the
office workstations, all of them are clones of each other, that can be
restored in 10 minutes in most cases, so if a auto-updated patch from MS
trashes them we can get them back to a last-configured roll out state
quickly - and you can uninstall updates too.

As for finding the time - it's part of the business, at least if you
care about your production servers and your development team. As an
example, I got a call that a client is switching to MAS-200, and want's
to run it on their 2003 server. I took it to my office (MAS-200),
installed 2003 on a test server, added the services that they are
running, then did a couple installs/uninstalls of MAS-200. I took notes
of everything and any issues (install was smooth). Now when I go back to
the clients server there should be no unknowns reaching out to my neck.
As for the time, we get paid for it, they expect us to keep them from
having down-time and testing is one strong method for doing that.

> >In the case of WG, there have not been any security
> >related updates to the firmware in a long time. Yes, they've come out
> >with newer rev's and nicer features, but the updates don't change
> >anything in the security options that most of our clients setups.
>
> Ummm...ok. I'll take your word on that. I guess you don't use the
> V-Class products. This is taken from their site:
> >WatchGuard® Vclass products 22 April 2004
> >WatchGuard Vclass Version 5.1.1 sp1 includes security enhancements
> >to your product.
> Maybe it's not a firmware update. Wait, what else could it be?

And did you read the update - was the update something that applied to
your situation? See, you can't just blindly apply updates, it's not good
to apply them to critical machines unless they do something to fix a
problem you are are having or that needs addressed right away. I've not
installed any of the V-Class units for customers, even state agencies
have not needed the power/features they have. The standard Firebox line
has served everyone quite well these last 7+ years - now going to the X
line.

> To basically sum it up, we both are trying to accomplish the same task
> (more or less), yet we use quite different methods and tools. For
> instance, you choose an appliance as a single point-of-failure, and I
> prefer to use specific tools for specific jobs. Choice is great,
> wouldn't you say?

Yes, choice is what it's all about. I look at the cost of maintaining
the security system, licensing, etc... I choose appliances because I
have never had one die on me yet, and I can hardly state that about a PC
over the last 7+ years that I've been using the WG FB line of firewalls.
For customers that can't afford to be down, they have a spare unit
sitting, fully configured, online and ready to swap into place. For
customers that can handle the down-time they just order another unit
from the vendor or reseller and have it in 12 hours - the nice thing is
that the configs are easily upgraded between versions so that you don't
really have to do anything other than load the config and you're done.
As I said, I've not had one FB go bad in all of these years, so it's not
been a issue being a single point of failure. I have a firebox II in my
home, it's almost 8 years old and works perfectly.

Choice is great, but making the right choice is all that's important to
customers.

Don't get me wrong, I still like FW-1 and some of the others, but I've
not seen a single instance where an appliance could not do the same
thing.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 20, 2004 5:25:37 PM

Archived from groups: comp.security.firewalls (More info?)

In article <67sad0hqceuiik1du96kosv8cnllu8hsis@4ax.com>,
badnews@hansenonline.net says...
> I think Leythos have mentioned on several occasions that the Watchguard
> line of firewalls also uses proxies, at least for http.

Yes, for both HTTP and SMTP. It was the first vendor to provide this
functionality in a box that I know of.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 21, 2004 2:18:55 AM

Archived from groups: comp.security.firewalls (More info?)

"Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
news:rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com...
> Leythos wrote:

> >One more thing that we do is set "Auto block sites that attempt to
> >connect to this service" and we set rules for ports 135, 139, and 445
> >for these auto-block sites. Just another way to make sure that infected
> >machines don't get past the firewall.
>
> I'm with you there, 100%, but I go way past that. Time and rule wise.
> Almost any kind of hostile activity will immediately ban that IP
> address for roughly 3 days.
>

Ok, guys, I had a question about this practice. Certainly, I understand the
intent, but don't you ever worry about the implicit denial-of-service
potential of this. I can think of multiple reasons why I would not want to
lock out a specific IP address for 3 days! Off of the top of my head: 1) the
use of a spoofed IP address, 2) the use of corporate or ISP-based proxies,
3) the use of corporate NAT'ing, and 4) the use of DHCP address leasing. It
seems to me that any or all of these reasons could cause you to, in fact,
deny access for potentially legitimate users; with the most egregious
potential problem being from a proxied or NAT address that may represent
large number of potential users. I understand the desire to actively block
hostile traffic, but a 3 day filter certainly seems excessive to me... but
maybe I'm just misunderstanding the policy, the situation, and the traffic
actually involved.

Alec
Anonymous
a b 8 Security
June 21, 2004 3:26:06 AM

Archived from groups: comp.security.firewalls (More info?)

In article <j3oBc.2047$R62.1335@newssvr23.news.prodigy.com>,
alec@nospam.com says...
>
> "Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
> news:rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com...
> > Leythos wrote:
>
> > >One more thing that we do is set "Auto block sites that attempt to
> > >connect to this service" and we set rules for ports 135, 139, and 445
> > >for these auto-block sites. Just another way to make sure that infected
> > >machines don't get past the firewall.
> >
> > I'm with you there, 100%, but I go way past that. Time and rule wise.
> > Almost any kind of hostile activity will immediately ban that IP
> > address for roughly 3 days.
> >
>
> Ok, guys, I had a question about this practice. Certainly, I understand the
> intent, but don't you ever worry about the implicit denial-of-service
> potential of this. I can think of multiple reasons why I would not want to
> lock out a specific IP address for 3 days! Off of the top of my head: 1) the
> use of a spoofed IP address, 2) the use of corporate or ISP-based proxies,
> 3) the use of corporate NAT'ing, and 4) the use of DHCP address leasing. It
> seems to me that any or all of these reasons could cause you to, in fact,
> deny access for potentially legitimate users; with the most egregious
> potential problem being from a proxied or NAT address that may represent
> large number of potential users. I understand the desire to actively block
> hostile traffic, but a 3 day filter certainly seems excessive to me... but
> maybe I'm just misunderstanding the policy, the situation, and the traffic
> actually involved.

Alec, I only set my bocks for 20 minutes, and I stick with the practice.
As for the scenarios you suggested, if a corporate user is so hacked
that they get 135, 139, or 445 out of their network to my firewalls I
don't really want them to access me, at least I don't really care if
they can make it to our sites or not.

DHCP, most users are not going to be impacted by a 20 minute block, and
if they are, again, I don't really care.

Spoofed addresses - not seeing it as a problem in our block lists. In
most cases, we only have 20~80 active blocks at any given time.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 22, 2004 5:59:22 AM

Archived from groups: comp.security.firewalls (More info?)

On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
>
>Taking your statement - anything that can be configured can be
>"misconfigured" - there are MANY more things to misconfigured on a PC
>based OS/Firewall combination than a Appliance. Now that we've settled
>that a Appliance is less likely to be misconfigured, we have the number
>of parts - the appliance is almost always going to have less parts, and
>the parts it does have are more likely to be of higher quality than
>those in a PC/OS based firewall. Assuming the same level of competence
>in the individual, you are statistically less likely to have a problem
>with the appliance than the PC based firewall system.
>

I think you'll find that the appliance will most likely be a cheaper
solution compared to a windows computer running a firewall. For
instance, a high quality server with quality parts is easily going to
cost you quite a few dollars, in addition to the OS and the firewall
software ... My first firewall cost me over $15 grand, plus annual
support contracts.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
June 22, 2004 6:31:23 AM

Archived from groups: comp.security.firewalls (More info?)

In article <ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com>,
badnews@hansenonline.net says...
> On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
> >
> >Taking your statement - anything that can be configured can be
> >"misconfigured" - there are MANY more things to misconfigured on a PC
> >based OS/Firewall combination than a Appliance. Now that we've settled
> >that a Appliance is less likely to be misconfigured, we have the number
> >of parts - the appliance is almost always going to have less parts, and
> >the parts it does have are more likely to be of higher quality than
> >those in a PC/OS based firewall. Assuming the same level of competence
> >in the individual, you are statistically less likely to have a problem
> >with the appliance than the PC based firewall system.
> >
>
> I think you'll find that the appliance will most likely be a cheaper
> solution compared to a windows computer running a firewall. For
> instance, a high quality server with quality parts is easily going to
> cost you quite a few dollars, in addition to the OS and the firewall
> software ... My first firewall cost me over $15 grand, plus annual
> support contracts.

Reminds me of the first CP FW-1 Nix firewall I installed many moon ago.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 22, 2004 6:21:01 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com:

> On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
>
> I think you'll find that the appliance will most likely be a cheaper
> solution compared to a windows computer running a firewall. For
> instance, a high quality server with quality parts is easily going to
> cost you quite a few dollars, in addition to the OS and the firewall
> software ... My first firewall cost me over $15 grand, plus annual
> support contracts.
>

If you are still talking about the 100 PC network with VPN, then maybe. I
run a very small network. I installed IPCop on a machine that was sitting
in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
over 6 months my pc based personal firewalls have not registered a single
incoming packet.

Bob
Anonymous
a b 8 Security
June 22, 2004 6:21:02 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 22 Jun 2004 14:21:01 GMT, bob spoketh

>Lars M. Hansen <badnews@hansenonline.net> wrote in
>news:ck3fd015n4bis50t197bmob844b3tk9a50@4ax.com:
>
>> On Sun, 20 Jun 2004 13:23:35 GMT, Leythos spoketh
>>
>> I think you'll find that the appliance will most likely be a cheaper
>> solution compared to a windows computer running a firewall. For
>> instance, a high quality server with quality parts is easily going to
>> cost you quite a few dollars, in addition to the OS and the firewall
>> software ... My first firewall cost me over $15 grand, plus annual
>> support contracts.
>>
>
>If you are still talking about the 100 PC network with VPN, then maybe. I
>run a very small network. I installed IPCop on a machine that was sitting
>in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
>over 6 months my pc based personal firewalls have not registered a single
>incoming packet.
>
>Bob

Where did the computer come from? Did someone give it to you for free?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
June 22, 2004 6:48:17 PM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns95106A0A82BD0j123w123x123@216.77.188.18>,
Jwx1.nothing@bellsouth.net says...
> If you are still talking about the 100 PC network with VPN, then maybe. I
> run a very small network. I installed IPCop on a machine that was sitting
> in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
> over 6 months my pc based personal firewalls have not registered a single
> incoming packet.

What is your hourly rate?

Hourly rate x 4 Hours is cost of your firewall setup.

Cost of PC, resell cost, and $10 added for the NIC... While I know that
this cost is insignificant, it's still a cost that you have to calculate
in order to provide a fair example.

I would venture a guess that a router/NAT ends up being cheaper, and
costs less to run, produces less heat, and has a lower overall failure
rate.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 22, 2004 10:45:01 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:lulgd01kv3s2s1kkj7646i4jpkigq8masr@4ax.com:

>>If you are still talking about the 100 PC network with VPN, then
>>maybe. I run a very small network. I installed IPCop on a machine that
>>was sitting in a closet. Total cost was about 4 hours of my time and a
>>$10 NIC. In over 6 months my pc based personal firewalls have not
>>registered a single incoming packet.
>>
>>Bob
>
> Where did the computer come from? Did someone give it to you for free?
>

It was collecting dust in the corner of my office, having been rendered
obsolete by Microsoft, Adobe, et. al.

Bob
Anonymous
a b 8 Security
June 23, 2004 12:24:44 AM

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1b4210d63201a9c298a685@news-server.columbus.rr.com>,
void@nowhere.com says...
> In article <Xns95106A0A82BD0j123w123x123@216.77.188.18>,
> Jwx1.nothing@bellsouth.net says...
> > If you are still talking about the 100 PC network with VPN, then maybe. I
> > run a very small network. I installed IPCop on a machine that was sitting
> > in a closet. Total cost was about 4 hours of my time and a $10 NIC. In
> > over 6 months my pc based personal firewalls have not registered a single
> > incoming packet.
>
> What is your hourly rate?
>
> Hourly rate x 4 Hours is cost of your firewall setup.
>
> Cost of PC, resell cost, and $10 added for the NIC... While I know that
> this cost is insignificant, it's still a cost that you have to calculate
> in order to provide a fair example.
>
> I would venture a guess that a router/NAT ends up being cheaper, and
> costs less to run, produces less heat, and has a lower overall failure
> rate.

Any reason you didn't want to calculate the actual cost of using the
IPCop system for us? I posted the above question but you seem to have
blown right by it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 23, 2004 12:55:40 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
wrote:
>
>It was collecting dust in the corner of my office, having been rendered
>obsolete by Microsoft, Adobe, et. al.
>

What was it's fair market value, that is, the price you would be able
to sell it on the open market?
Anonymous
a b 8 Security
June 23, 2004 1:07:04 AM

Archived from groups: comp.security.firewalls (More info?)

In article <c37hd0h8on6bv8vg4hvjh3c203olms90k5@4ax.com>,
nospam@shopping.nowthor.com says...
> On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
> wrote:
> >
> >It was collecting dust in the corner of my office, having been rendered
> >obsolete by Microsoft, Adobe, et. al.
> >
>
> What was it's fair market value, that is, the price you would be able
> to sell it on the open market?

I asked that question and the hourly rate (since he stated 4 hours) so
that we could calculate the real cost, but nothing has been posted yet.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 24, 2004 3:58:05 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.com> wrote in
news:MPG.1b425fbf1804576398a68a@news-server.columbus.rr.com:

>>
>> What is your hourly rate?
>>
>> Hourly rate x 4 Hours is cost of your firewall setup.
>>
>> Cost of PC, resell cost, and $10 added for the NIC... While I know
>> that this cost is insignificant, it's still a cost that you have to
>> calculate in order to provide a fair example.
>>
>> I would venture a guess that a router/NAT ends up being cheaper, and
>> costs less to run, produces less heat, and has a lower overall
>> failure rate.
>
> Any reason you didn't want to calculate the actual cost of using the
> IPCop system for us? I posted the above question but you seem to have
> blown right by it.
>

Sorry I couldn't get back to you right away -- the other isp is having
another one of it's frequent newsgroup troubles.

In order to truly compare the costs, all of expenses and time spent would
need to be considered. We frequently do such analysis at work, even to
the point of spending more money on the analysis than the equipment
eventually costs.

So as I said in my earlier post, it took around 4 hours to download setup
and configure IPCop. If I had gone the route of purchasing a standalone
firewall appliance, I would have spent more than 4 hours researching to
determine which features were important in a firewall appliance, how to
accurately compare them, and how to compare the offerings of the various
companies, and then actually select a model to recommend, make the
suggestion to my employer, get authorization, find a vendor to buy it
from and obtain it. After I finally got it, I would need to spend at
least some time reading the instructions and learning how to set it up,
too. Some of that time would be exactly the same time that was used in
setting up IPCop.

Looking at completed Ebay auctions, the Pentium 133 Mhz machine that
hosts the firewall is worth a good deal less than the $10 NIC I put into
it.

Bob


--
Delete the inverse SPAM to reply
June 24, 2004 4:00:10 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:lulgd01kv3s2s1kkj7646i4jpkigq8masr@4ax.com:


>>If you are still talking about the 100 PC network with VPN, then
>>maybe. I run a very small network. I installed IPCop on a machine that
>>was sitting in a closet. Total cost was about 4 hours of my time and a
>>$10 NIC. In over 6 months my pc based personal firewalls have not
>>registered a single incoming packet.
>>
>>Bob
>
> Where did the computer come from? Did someone give it to you for free?
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

It was on the floor of my office, collecting dust. In most office
situations it probably would have been discarded long ago. As an old 133Mhz
pentium without even PCI slots, it has approximately zero market value.

Bob

--
Delete the inverse SPAM to reply
June 24, 2004 4:01:29 AM

Archived from groups: comp.security.firewalls (More info?)

shopping.nowthor.com <nospam@shopping.nowthor.com> wrote in
news:c37hd0h8on6bv8vg4hvjh3c203olms90k5@4ax.com:

> On Tue, 22 Jun 2004 18:45:01 GMT, bob <Jwx1.nothing@bellsouth.net>
> wrote:
>>
>>It was collecting dust in the corner of my office, having been rendered
>>obsolete by Microsoft, Adobe, et. al.
>>
>
> What was it's fair market value, that is, the price you would be able
> to sell it on the open market?

Two 133Mhz pentiums have completed auctions on Ebay. One sold for $5.75.
The other did not sell for $1.

It would literally cost more to discard it than it is worth.

Bob

--
Delete the inverse SPAM to reply
Anonymous
a b 8 Security
June 24, 2004 4:41:14 AM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns9511CB87DC1D8bobatcarolnet@207.69.154.202>, usenetMAPS@
2fiddles.com says...
> So as I said in my earlier post, it took around 4 hours to download setup
> and configure IPCop. If I had gone the route of purchasing a standalone
> firewall appliance, I would have spent more than 4 hours researching to
> determine which features were important in a firewall appliance, how to
> accurately compare them, and how to compare the offerings of the various
> companies, and then actually select a model to recommend, make the
> suggestion to my employer, get authorization, find a vendor to buy it
> from and obtain it. After I finally got it, I would need to spend at
> least some time reading the instructions and learning how to set it up,
> too. Some of that time would be exactly the same time that was used in
> setting up IPCop.

How much time did you spend determining that an Open Source product was
right for you?

How much time did you spend determining that IPCop provided the features
you wanted?

How much time did you spend researching how well it protected other
companies/users?

How much time did you spend learning to secure the OS you installed it
on?

How much time did you spend learning how to install the OS you installed
it on?

And the list goes on....

With the appliances, for the most part, it's about 1 hour to decide on
which one meets your needs. Looking on CDW takes about 10 minutes,
getting a PO setup takes about 15 minutes of your time, not counting
time for the accounting dept to process it, and ordering it takes about
10 minutes - so about an hour to purchase it.

Configuration - about the same amount of time as IPCop.

OS/Platform installation - couple hours, then a couple hours to learn to
secure your OS (not one install of Linux is secure until you are sure
what you've installed)....

What I'm trying to point out here is that even a Linux box with IPCop
and it's limited feature set costs money, and time, it's not free just
because you can download it for free.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 25, 2004 4:16:53 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.com> wrote in
news:MPG.1b43ef2d2c17eb7198a69e@news-server.columbus.rr.com:

> With the appliances, for the most part, it's about 1 hour to decide on
> which one meets your needs. Looking on CDW takes about 10 minutes,
> getting a PO setup takes about 15 minutes of your time, not counting
> time for the accounting dept to process it, and ordering it takes
> about 10 minutes - so about an hour to purchase it.
>
> Configuration - about the same amount of time as IPCop.
>
> OS/Platform installation - couple hours, then a couple hours to learn
> to secure your OS (not one install of Linux is secure until you are
> sure what you've installed)....
>
> What I'm trying to point out here is that even a Linux box with IPCop
> and it's limited feature set costs money, and time, it's not free just
> because you can download it for free.
>

Not one side fits all. I never said it was free, just less expensive in
my case; if we could make decisions as fast as you can, then a different
solution might be better for us. Doing research and learning new things
that might benefit our company is always rewarded; finding new ways to
spend cash is not (not always, that is). If IPCop or something like it
were not available as an alternative, our network would probably still
not have any firewall except the router(NAT).

Based on several things you've written, I think you might not completely
understand IPCop. It is not a firewall application that runs on Linux.
It is a complete Linux distrobution, designed to turn an old PC into a
firewall appliance. There are no mail, ftp, or other servers; there are
no nothings. The ISO is a mere 20 Mb. By default, there are no openings
in it.

I find it very useful because I can easily configure it to deny IP
ranges and ports, I can easily configure a hosts list for the whole
network, and I can easily back up my entire configuration with a windows
machine. In the event of hardware failure or security breach, I can
simply reinstall the the software from the bootable CD (even on a
differnt computer) and then restore my configuration.

The thing that actually took me the longest when I installed it was
figuring out that I needed to use two different networks for RED and
GREEN. Once I got that it was smooth sailing.

Bob

--
Delete the inverse SPAM to reply
!