Sign in with
Sign up | Sign in
Your question

Hardware vs Software Firewall - Pros and Cons?

Last response: in Networking
Share
July 12, 2004 7:36:34 PM

Archived from groups: comp.security.firewalls (More info?)

I am running Norton Internet Security Personal Firewall - but was
wondering - would security, speed, and memory requirements be any better
using a router with a hardware firewall?
July 12, 2004 7:36:35 PM

Archived from groups: comp.security.firewalls (More info?)

If you're talking about using a NAT router like the popular Lynksis,
D-link..... as a "hardware firewall" you would get more speed, BUT those
security systems are only good for keeping bad traffic out they don't stop
programs like torjan horse, keyloggers etc from communicating out to the
Internet. A solution involving both your Norton software and a NAT router
would be best.


"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
> I am running Norton Internet Security Personal Firewall - but was
> wondering - would security, speed, and memory requirements be any better
> using a router with a hardware firewall?
>
>
>
Anonymous
a b 8 Security
July 12, 2004 7:36:35 PM

Archived from groups: comp.security.firewalls (More info?)

"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
> I am running Norton Internet Security Personal Firewall - but was
> wondering - would security, speed, and memory requirements be any better
> using a router with a hardware firewall?

Yes! Freeing up your computer to do your computing and leaving firewalls to
other hardware devices will definately improve your system's performance.
BTW, I use only a NAT router and a good AV program and my network is up 24/7
without issue. Safe computing is the best defense.
Related resources
Anonymous
a b 8 Security
July 13, 2004 3:30:47 AM

Archived from groups: comp.security.firewalls (More info?)

Paris wrote:

> If you're talking about using a NAT router like the popular Lynksis,
> D-link..... as a "hardware firewall" you would get more speed, BUT those
> security systems are only good for keeping bad traffic out they don't stop
> programs like torjan horse, keyloggers etc from communicating out to the
> Internet.

Neither do Personal Firewalls stop malware.

> A solution involving both your Norton software and a NAT router
> would be best.

A solution involving a skilled user *is* best.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
July 13, 2004 1:34:59 PM

Archived from groups: comp.security.firewalls (More info?)

Maybe in this specific case a life and a girlfriend would be "best"
;-0
"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:ccuvtf$ff0$3@news.shlink.de...
> Paris wrote:
>
> > If you're talking about using a NAT router like the popular Lynksis,
> > D-link..... as a "hardware firewall" you would get more speed, BUT
those
> > security systems are only good for keeping bad traffic out they don't
stop
> > programs like torjan horse, keyloggers etc from communicating out to the
> > Internet.
>
> Neither do Personal Firewalls stop malware.
>
> > A solution involving both your Norton software and a NAT router
> > would be best.
>
> A solution involving a skilled user *is* best.
>
> Wolfgang
> --
> A foreign body and a foreign mind
> never welcome in the land of the blind.
> from 'Not one of us', (c) 1980 Peter Gabriel
Anonymous
a b 8 Security
July 19, 2004 8:21:11 PM

Archived from groups: comp.security.firewalls (More info?)

yes, it would. Hardwaer based firewalls are designed to handle these
specific areas of operation and do this faster than software based fws.
However, they are also more expensive

"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
> I am running Norton Internet Security Personal Firewall - but was
> wondering - would security, speed, and memory requirements be any better
> using a router with a hardware firewall?
>
>
>
Anonymous
a b 8 Security
July 19, 2004 8:21:12 PM

Archived from groups: comp.security.firewalls (More info?)

A hardware firewall, like a router, protects against incoming.
It doesn't prevent outgoing; whereas a good software firewall will do
both.

On Mon, 19 Jul 2004 16:21:11 +0200, "Observer" <abc@def.com> wrote:

>yes, it would. Hardwaer based firewalls are designed to handle these
>specific areas of operation and do this faster than software based fws.
>However, they are also more expensive
>
>"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
>news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
>> I am running Norton Internet Security Personal Firewall - but was
>> wondering - would security, speed, and memory requirements be any better
>> using a router with a hardware firewall?
>>
>>
>>
>
Anonymous
a b 8 Security
July 19, 2004 11:54:12 PM

Archived from groups: comp.security.firewalls (More info?)

In article <p0vnf0pfojnpn6h5h8pc2qtglle6ba3a5c@4ax.com>, Nobody You Need
To Know <> says...
> A hardware firewall, like a router, protects against incoming.
> It doesn't prevent outgoing; whereas a good software firewall will do
> both.

A router is NOT a firewall, you can't suggest that a ROUTER is a
firewall. A hardware firewall WILL block outbound and inbound
connections based on defined rule sets. If you had said "A ROUTER, not
like a firewall, does not limit outbound" then you would have been on
the right track.

In most cases, many of the new routers provide the ability to block
outbound by port (or port range), but many do not, and that does NOT
make them a firewall by definition. None of the routers I've seen and
determine type of traffic, only block ports.

NOTE: ANY hardware firewall blocks in BOTH directions. Routers are just
simple network translation devices that are over-hyped by marketing
types as Firewalls.

A good software firewall, running on a personal computer, is very easily
compromised by the owner of the computer as the are very often required
to answer questions about permitting services/applications from
accessing in/out bound ports. Most users, the non-technical ones, that
don't have more than one computer, end up allowing their entire private
lan to be trusted, which is the same as not having a personal firewall.

> On Mon, 19 Jul 2004 16:21:11 +0200, "Observer" <abc@def.com> wrote:
>
> >yes, it would. Hardwaer based firewalls are designed to handle these
> >specific areas of operation and do this faster than software based fws.
> >However, they are also more expensive
> >
> >"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
> >news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
> >> I am running Norton Internet Security Personal Firewall - but was
> >> wondering - would security, speed, and memory requirements be any better
> >> using a router with a hardware firewall?
> >>
> >>
> >>
> >
>
>

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
July 20, 2004 1:17:02 AM

Archived from groups: comp.security.firewalls (More info?)

Nobody You Need To Know wrote:
>
> A hardware firewall, like a router, protects against incoming.
> It doesn't prevent outgoing; whereas a good software firewall will do
> both.

Which hardware "firewall" can't do egress filtering?

Thor

--
http://www.anta.net/
Anonymous
a b 8 Security
July 20, 2004 2:36:41 AM

Archived from groups: comp.security.firewalls (More info?)

Nobody You Need To Know <> wrote in
news:p 0vnf0pfojnpn6h5h8pc2qtglle6ba3a5c@4ax.com:

> A hardware firewall, like a router, protects against incoming.
> It doesn't prevent outgoing; whereas a good software firewall will do
> both.
>

In the link, it explains a network FW which FW appliances and some
routers do meet the requirements.

There are a few other things in the link you may want to learn about FW
(s) hardware and software.

http://www.firewall-software.com/firewall_faqs/what_doe...

Duane :) 
Anonymous
a b 8 Security
July 20, 2004 1:26:57 PM

Archived from groups: comp.security.firewalls (More info?)

I'm sorry but I consider this threat a nonsense. What is a hardware
firewall? In computing since 70s the hardware runs software and it is the
software the one to perform a task... like being a firewall.

So? Again... what a hardware firewall is? Is CISCO PIX a hardware firewall?
CISCO PIX 515e is an Intel 486 hardware. Any diference with a Intel 486
rackable PC? They (CISCO) run something like IOS firewall. The PC can run
many FW software.

What about the appliances tha run a tyne Linux distro tu run firewall? Are
they hard or soft? A full nonsense.

So the question could be... what fw is best? That's all.

Best Regards,
Fidelio


> "Greg" <rezlab_nospam@sbcglobal.net> wrote in message
> news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
> > I am running Norton Internet Security Personal Firewall - but was
> > wondering - would security, speed, and memory requirements be any better
> > using a router with a hardware firewall?
Anonymous
a b 8 Security
July 20, 2004 1:26:58 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 20 Jul 2004 09:26:57 +0200, Fidelio spoketh

>I'm sorry but I consider this threat a nonsense. What is a hardware
>firewall? In computing since 70s the hardware runs software and it is the
>software the one to perform a task... like being a firewall.
>
>So? Again... what a hardware firewall is? Is CISCO PIX a hardware firewall?
>CISCO PIX 515e is an Intel 486 hardware. Any diference with a Intel 486
>rackable PC? They (CISCO) run something like IOS firewall. The PC can run
>many FW software.
>
>What about the appliances tha run a tyne Linux distro tu run firewall? Are
>they hard or soft? A full nonsense.
>
>So the question could be... what fw is best? That's all.
>
>Best Regards,
>Fidelio
>

"Hardware firewall" has become (like it or not) synonymous with firewall
appliance. Now the problem is how to define a firewall appliance ...

The way I try to put it is: A firewall appliance is a dedicated unit
that does not run a user-oriented operating system, has no regular
computer connections (ie keyboard, mouse, monitor) other than ethernet
and a console/serial port, and it's only task is to work as a firewall.

That makes Pix a firewall appliance, as well as all the watchguards,
sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
meet these criteria.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
July 20, 2004 2:47:42 PM

Archived from groups: comp.security.firewalls (More info?)

Fidelio wrote:

> What is a hardware
> firewall? In computing since 70s the hardware runs software and it is the
> software the one to perform a task... like being a firewall.

You're right - the terms "hardware firewall" and "software firewall" are
technically incorrect. However, it is obvious that there is a need to
distinguish between workstation software such as ICF, Sygate or Tiny, and,
OTOH, external, dedicated firewalls.

> What about the appliances tha run a tyne Linux distro tu run firewall? Are
> they hard or soft?

From a penetrability viewpoint, probably the greatest difference is that
Linux firewalls often are used to protect other hosts, whereas Windows
"software firewalls" are typically used to protect only the workstation they
are running on.

Two important questions to ask are:

- can the firewall be axiomatically compromised by obtaining superuser
access on a/the host it protects?

- is the firewall always able to map connection attempts to specific
processes?

Maybe you would like to write a draft specification of which terminology
should be universally adopted.

Thor

--
http://www.anta.net/
Anonymous
a b 8 Security
July 20, 2004 3:55:53 PM

Archived from groups: comp.security.firewalls (More info?)

In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
badnews@hansenonline.net says...
> "Hardware firewall" has become (like it or not) synonymous with firewall
> appliance. Now the problem is how to define a firewall appliance ...
>
> The way I try to put it is: A firewall appliance is a dedicated unit
> that does not run a user-oriented operating system, has no regular
> computer connections (ie keyboard, mouse, monitor) other than ethernet
> and a console/serial port, and it's only task is to work as a firewall.
>
> That makes Pix a firewall appliance, as well as all the watchguards,
> sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
> boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
> meet these criteria.

Very good example Lars - I'll have to remember this in the fight to
explain the different to people that are either trolls or just want to
argue.

One other thing I use to separate "appliances" from non-appliances - can
you install any other (non-firewall) application on the device, if you
can, then it's not a firewall appliance. I can't think of one appliance
that I could install MS Office or SendMail on.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
July 20, 2004 3:55:54 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b66d3cb97a0967f98a7bb@news-server.columbus.rr.com...
> In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
> badnews@hansenonline.net says...
> > "Hardware firewall" has become (like it or not) synonymous with firewall
> > appliance. Now the problem is how to define a firewall appliance ...
> >
> > The way I try to put it is: A firewall appliance is a dedicated unit
> > that does not run a user-oriented operating system, has no regular
> > computer connections (ie keyboard, mouse, monitor) other than ethernet
> > and a console/serial port, and it's only task is to work as a firewall.
> >
> > That makes Pix a firewall appliance, as well as all the watchguards,
> > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
> > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
> > meet these criteria.
>
> Very good example Lars - I'll have to remember this in the fight to
> explain the different to people that are either trolls or just want to
> argue.
>
> One other thing I use to separate "appliances" from non-appliances - can
> you install any other (non-firewall) application on the device, if you
> can, then it's not a firewall appliance. I can't think of one appliance
> that I could install MS Office or SendMail on.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

I'm not familiar with "hardware firewalls", never having used one. The term
appliance seems a little awkward, but any way that you describe it, it would
necessarily have to be software driven. The only question I would have
would be the updating of the software in the "appliance" (hardware
firewall). How often is this updated and how? Thinking further, I used a
2Wire DSL interface for a while a couple of years ago. Would this be
classified as a "hardware firewall/appliance" that is being talked about?

DDDD
Anonymous
a b 8 Security
July 20, 2004 4:35:03 PM

Archived from groups: comp.security.firewalls (More info?)

In article <3d92b$40fd0d2c$45234d07$26840@allthenewsgroups.com>,
someone@some.one says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b66d3cb97a0967f98a7bb@news-server.columbus.rr.com...
> > In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
> > badnews@hansenonline.net says...
> > > "Hardware firewall" has become (like it or not) synonymous with firewall
> > > appliance. Now the problem is how to define a firewall appliance ...
> > >
> > > The way I try to put it is: A firewall appliance is a dedicated unit
> > > that does not run a user-oriented operating system, has no regular
> > > computer connections (ie keyboard, mouse, monitor) other than ethernet
> > > and a console/serial port, and it's only task is to work as a firewall.
> > >
> > > That makes Pix a firewall appliance, as well as all the watchguards,
> > > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
> > > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
> > > meet these criteria.
> >
> > Very good example Lars - I'll have to remember this in the fight to
> > explain the different to people that are either trolls or just want to
> > argue.
> >
> > One other thing I use to separate "appliances" from non-appliances - can
> > you install any other (non-firewall) application on the device, if you
> > can, then it's not a firewall appliance. I can't think of one appliance
> > that I could install MS Office or SendMail on.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> I'm not familiar with "hardware firewalls", never having used one. The term
> appliance seems a little awkward, but any way that you describe it, it would
> necessarily have to be software driven. The only question I would have
> would be the updating of the software in the "appliance" (hardware
> firewall). How often is this updated and how? Thinking further, I used a
> 2Wire DSL interface for a while a couple of years ago. Would this be
> classified as a "hardware firewall/appliance" that is being talked about?

The appliances are updated either through a serial port or through the
GUI provided by the vendor. All firewalls, as well as most computing
devices, are driven by some type of firmware or software. In the case of
an appliance, it's mostly firmware (something contained in a re-
programmable chip) that is loaded by a boot-block of code. The firmware
method only allows the updating with the same type of firmware - meaning
that I could not load OS2 in my Firewalls firmware and end up with an
OS2 computer.

The appliance route is a dedicated device that can not be used for
anything else (notice, I didn't say "is not used for anything else").

In the case of the WatchGuard firewalls, I have a vendor provided
application suite that runs on a computer, it interfaces with the
firewall over specific ports/protocols. The interface lets me monitor,
change rules, update firmware, etc...

The DSL router that you are provided (or Cable Modem) by your ISP is
considered a "hardware" appliance, as is your managed network switch,
your managed network aware tape vault. Your network switch (unmanaged)
is considered to be just hardware.

About 5 years ago the marketing types decided to start pushing Routers
with NAT as firewalls, they only offered inbound blocking, not because
of firewall rules, but, because of the way that NAT works. Routers that
provide NAT are not firewalls, they are routers. Sure, you can update
the firmware in them, but they are just routers - some of them are nicer
than others and provide some enhanced features, but, they are still just
routers.

A software firewall is something that gets installed on a
Computer/Server/Workstation that MAY also have other software installed
on it - even if it doesn't have anything other than an OS and the
application, it's still a software firewall (based on what we're
discussing here). In the early days I used a Windows NT box with Sygate
and two NIC's as a dedicated solution - it was a NAT/Proxy type
solution. I considered it to be just NAT/Proxy and nothing more, and not
an appliance, it was a software solution.

If I install ISA (MS's Firewall) on a dedicated computer, just for
acting as a firewall, it's still not an appliance, it's just a software
firewall (much like NIS or ZoneAlarm or the others).


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
July 20, 2004 11:26:22 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh

>
>If I install ISA (MS's Firewall) on a dedicated computer, just for
>acting as a firewall, it's still not an appliance, it's just a software
>firewall (much like NIS or ZoneAlarm or the others).
>

Perhaps it would be a better idea to compare ISA to another network
firewall such as Checkpoint or Symantec Enterprise Firewall rather than
a desktop security suite...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
July 21, 2004 12:00:42 AM

Archived from groups: comp.security.firewalls (More info?)

In article <scsqf01u3fks0d7ldngafo680udfa3al47@4ax.com>,
badnews@hansenonline.net says...
> On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh
>
> >
> >If I install ISA (MS's Firewall) on a dedicated computer, just for
> >acting as a firewall, it's still not an appliance, it's just a software
> >firewall (much like NIS or ZoneAlarm or the others).
> >
>
> Perhaps it would be a better idea to compare ISA to another network
> firewall such as Checkpoint or Symantec Enterprise Firewall rather than
> a desktop security suite...

Yes, that's more like ISA, and to be fair, I don't really expect any of
the home/soho users to install ISA, FW1 or SEF on their computers. I
guess I was being to literal.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
July 21, 2004 12:00:43 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 20 Jul 2004 20:00:42 GMT, Leythos spoketh

>In article <scsqf01u3fks0d7ldngafo680udfa3al47@4ax.com>,
>badnews@hansenonline.net says...
>> On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh
>>
>> >
>> >If I install ISA (MS's Firewall) on a dedicated computer, just for
>> >acting as a firewall, it's still not an appliance, it's just a software
>> >firewall (much like NIS or ZoneAlarm or the others).
>> >
>>
>> Perhaps it would be a better idea to compare ISA to another network
>> firewall such as Checkpoint or Symantec Enterprise Firewall rather than
>> a desktop security suite...
>
>Yes, that's more like ISA, and to be fair, I don't really expect any of
>the home/soho users to install ISA, FW1 or SEF on their computers. I
>guess I was being to literal.
>
>--

unless they buy Windows SBS 2003 server, they're not likely to install
ISA either...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
July 21, 2004 3:53:58 AM

Archived from groups: comp.security.firewalls (More info?)

> I'm not familiar with "hardware firewalls", never having used one. The term
> appliance seems a little awkward, but any way that you describe it, it would
> necessarily have to be software driven. The only question I would have
> would be the updating of the software in the "appliance" (hardware
> firewall). How often is this updated and how? Thinking further, I used a
> 2Wire DSL interface for a while a couple of years ago. Would this be
> classified as a "hardware firewall/appliance" that is being talked about?
>
> DDDD

A hardware firewall is one that looks kinda like a router (a box) that
sits on ur desk. the internet connection from the DSL hub goes through
this (in and then out) and to the router or hub, which splits ur
connections for all of your computers. this is running all of the time
on every connection sent in and out. expenseive ones even have POP3
scanning.

If anybody finds any good hardware firewall that is under $400 let me
know. thanks a lot.

peace
Anonymous
a b 8 Security
July 21, 2004 1:55:14 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:


>
>unless they buy Windows SBS 2003 server, they're not likely to install
>ISA either...
>

ISA runs just fine on server 2k and above.


greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
Anonymous
a b 8 Security
July 21, 2004 4:09:01 PM

Archived from groups: comp.security.firewalls (More info?)

In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net
says...
> On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
> <badnews@hansenonline.net> wrote:
>
>
> >
> >unless they buy Windows SBS 2003 server, they're not likely to install
> >ISA either...
> >
>
> ISA runs just fine on server 2k and above.

Yea, but the only people I see with ISA are the ones running SBS. There
are so many better options out there that there is no real good reason
to run ISA.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
July 21, 2004 6:02:01 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 21 Jul 2004 12:09:01 GMT, Leythos <void@nowhere.com> wrote:

>In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net

>> ISA runs just fine on server 2k and above.
>
>Yea, but the only people I see with ISA are the ones running SBS. There
>are so many better options out there that there is no real good reason
>to run ISA.
>

Take a look at ISA 2004, its a significant improvement on what MS has
laughingly called a firewall previously.

The centralised management and L7 inspection is very impressive.



greg


--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
Anonymous
a b 8 Security
July 21, 2004 6:29:33 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 21 Jul 2004 09:55:14 +0100, Greg Hennessy spoketh

>On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>
>
>>
>>unless they buy Windows SBS 2003 server, they're not likely to install
>>ISA either...
>>
>
>ISA runs just fine on server 2k and above.
>
>
>greg

I wasn't trying to imply that it didn't work with anything else, merely
that ISA server comes with the SBS package (at least one of them), and I
can see that if someone want to set up just a small site, then that
might be a good avenue...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
a b 8 Security
July 22, 2004 11:55:37 AM

Archived from groups: comp.security.firewalls (More info?)

I tested the beta release of ISA 2004 and I agree is very impressive
product. Anyway I could add that this new ISA MUST be installed over Windows
2003 Server not over 2000. And Microsoft took long time to produce the SP1
for W2003 so this makes ISA 2004 unsafe if you are not very careful while
installing W2003 and ISA.

ISA 2004 is not a bad security product... the only problem is that is based
over a operating system with serious problems on security...or I must say
serious problem while configuring the security.

I'm planning for my organization a solution of two firewall (sandwitch like)
and the external one will be ISA 2004 almost for sure and the internal one
will be the one I trust. I think this will give us a chance to test how
strong is ISA 2004.

Best Regards,
Fidelio

"Greg Hennessy" <me@privacy.net> escribió en el mensaje
news:t4qsf096cm9k0g61elgpesbcdf8btbvug6@4ax.com...
> On Wed, 21 Jul 2004 12:09:01 GMT, Leythos <void@nowhere.com> wrote:
>
> >In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net
>
> >> ISA runs just fine on server 2k and above.
> >
> >Yea, but the only people I see with ISA are the ones running SBS. There
> >are so many better options out there that there is no real good reason
> >to run ISA.
> >
>
> Take a look at ISA 2004, its a significant improvement on what MS has
> laughingly called a firewall previously.
>
> The centralised management and L7 inspection is very impressive.
>
>
>
> greg
>
>
> --
> Konnt ihr mich horen?
> Konnt ihr mich sehen?
> Konnt ihr mich fuhlen?
> Ich versteh euch nicht
Anonymous
a b 8 Security
July 22, 2004 1:45:44 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 22 Jul 2004 07:55:37 +0200, "Fidelio" <Fidelio@arrakis.net> wrote:

>I tested the beta release of ISA 2004 and I agree is very impressive
>product. Anyway I could add that this new ISA MUST be installed over Windows
>2003 Server not over 2000.

I didn't have any problems running the beta on win2k server here.

It can also in place upgrade ISA 2000 installations with the following
limitations

"If you install ISA Server on a Windows 2000 operating system, note the
following functional differences:

You cannot configure the L2TP IPSec preshared key.
Quarantine mode for VPN clients is not supported when using RADIUS policy.
All ISA Server services run using the local system account. "

Personally I wouldn't terminate remote user VPNs on any firewall, not when
there are excellent dedicated appliances such ciscos VPN concentrator 3k
out there.


>ISA 2004 is not a bad security product... the only problem is that is based
>over a operating system with serious problems on security...or I must say
>serious problem while configuring the security.

Apply the patch punch lists and harden the box accordingly.

No different than installing a commercial firewall product onto any other
general purpose OS.

The only GP OS I know of which doesn't require hardening before production
is OpenBSD.

>I'm planning for my organization a solution of two firewall (sandwitch like)
>and the external one will be ISA 2004 almost for sure and the internal one
>will be the one I trust. I think this will give us a chance to test how
>strong is ISA 2004.


As a packet filtering firewall, I am sure it'll work fine.


greg
--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht
Anonymous
a b 8 Security
July 28, 2004 4:32:20 PM

Archived from groups: comp.security.firewalls (More info?)

In article <e656619d.0407202253.635d27f6@posting.google.com>,
need4speed850@yahoo.com says...
> > I'm not familiar with "hardware firewalls", never having used one. The term
> > appliance seems a little awkward, but any way that you describe it, it would
> > necessarily have to be software driven. The only question I would have
> > would be the updating of the software in the "appliance" (hardware
> > firewall). How often is this updated and how? Thinking further, I used a
> > 2Wire DSL interface for a while a couple of years ago. Would this be
> > classified as a "hardware firewall/appliance" that is being talked about?
> >
> > DDDD
>
> A hardware firewall is one that looks kinda like a router (a box) that
> sits on ur desk. the internet connection from the DSL hub goes through
> this (in and then out) and to the router or hub, which splits ur
> connections for all of your computers. this is running all of the time
> on every connection sent in and out. expenseive ones even have POP3
> scanning.
>
> If anybody finds any good hardware firewall that is under $400 let me
> know. thanks a lot.

WatchGuard has a SOHO unit for just under $400, but it's limited to 10
internal IP for that price - you can purchase 25 more for about $90.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 3, 2004 11:19:38 PM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 20 Jul 2004 at 11:17 GMT, Lars M Hansen <badnews@hansenonline.net>
spewed into the usenet group comp.security.firewalls:
<snip>

A late response, since I have been away from my computer for a few days.

> "Hardware firewall" has become (like it or not) synonymous with firewall
> appliance. Now the problem is how to define a firewall appliance ...
>
> The way I try to put it is: A firewall appliance is a dedicated unit
> that does not run a user-oriented operating system, has no regular
> computer connections (ie keyboard, mouse, monitor) other than ethernet
> and a console/serial port, and it's only task is to work as a firewall.

Hmmm, I would define a firewall "appliance" as a bastion host with a remote
administration GUI/CLI fitted in a small form factor case.

> That makes Pix a firewall appliance, as well as all the watchguards,
> sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
> boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
> meet these criteria.

How many of those are real firewalls? I mean those which act at layer 7, and
not just fancy packet filters.

A firewall is a security system which separates two or more networks with
differing security requirements.
All firewalls are software firewalls, not hardware. Firmware is still
software. A hardware firewall would be etched in Silicon.

(Layer n refers to the OSI model).

A minimally useful firewall acts as a stateless packet filter.
A slightly more useful firewall is one with layer 3 session tracking
capabilities.

A more buzzworded firewall is a stateful packet filter with deep inspection.

A good firewall is one which understands the protocol, and actually
validates the layer 7 data.

My normal design for a firewall would be:

Untrusted network ==>|| Packet filter ==> ALG || ==> more trusted network.

The firewall sits between the ||. The ALG (Application Layer Gateway/Proxy)
is per protocol and may be mapped to multiple hosts, depending on protocol
and load). The packet filter just gets rids of the noise.
All these systems sit on top of hardened bastion hosts and do nothing except
filter traffic.

Typically, an appliance is designed to be used by non experts. A TV is an
appliance. A car is an appliance, as is a toaster. A PC is not an appliance.

A firewall cannot be made into an appliance, because the purpose of a
firewall is to implement a security policy, and this is different for every
organisation/user. You do need to understand what you are doing when
implementing a firewall. There is no substitute for user education and
enlightenment.
There is also no substitute for using hardened software on all internal
nodes. A firewall is a bandage for insecure software, and avoiding the use
of such software itself is a very large reduction in risk [1].

Devdas "Just say no" Bhagat

[1] I know software cannot be proven secure, but using software with a track
record for good security is much better then using software without such a
record. See Postfix/Qmail/Exim vs Exchange on the Internet, or Mozilla vs
IE, or Mozilla/Thunderbird/Eudora vs Outlook/Outlook Express.
Anonymous
a b 8 Security
August 3, 2004 11:19:39 PM

Archived from groups: comp.security.firewalls (More info?)

On 3 Aug 2004 19:19:38 GMT, Devdas Bhagat spoketh

>
>Hmmm, I would define a firewall "appliance" as a bastion host with a remote
>administration GUI/CLI fitted in a small form factor case.

Too broad. That would include any installation of Checkpoint and SEF
running on a 1U or 2U box with Unix or Windows...

>
>> That makes Pix a firewall appliance, as well as all the watchguards,
>> sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
>> boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
>> meet these criteria.
>
>How many of those are real firewalls? I mean those which act at layer 7, and
>not just fancy packet filters.
>

Application proxies are not a requirement for it being a firewall. All
of those are as real as firewalls gets. If you prefer application
proxies, then that is your call.

>All firewalls are software firewalls, not hardware. Firmware is still
>software. A hardware firewall would be etched in Silicon.
>

A moot point. All hardware has software, including elevators. That
doesn't make elevators software. "Hardware firewall" is a bad word, and
I'm not advocating the use of that term, but rather "firewall
appliance". However, the two terms have become synonymous in the popular
media...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
August 6, 2004 3:47:41 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:uguvg0l6jl0id2vdfrfeehd7hkpe5ujtnd@4ax.com:

> On 3 Aug 2004 19:19:38 GMT, Devdas Bhagat spoketh
>
>>
>>Hmmm, I would define a firewall "appliance" as a bastion host with a
>>remote administration GUI/CLI fitted in a small form factor case.
>
> Too broad. That would include any installation of Checkpoint and SEF
> running on a 1U or 2U box with Unix or Windows...
>
>>


I have IPCop running on an old PC box. It has a keyboard and a mouse
attached, but no monitor.

What terminology would you use to describe it?

For those who don't know, IPCop is a Linux distrobution that is designed
specifically to be a firewall. It is 25Mb. Does not have any services
that do not help it be a firewall (no sendmail, no FTP, no [...]).

I use it more for outbound access control than security, btw. I block a
variety of ports and IP addresses.

Bob

--
Delete the inverse SPAM to reply
Anonymous
a b 8 Security
August 6, 2004 4:21:49 AM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
2fiddles.com says...
> I have IPCop running on an old PC box. It has a keyboard and a mouse
> attached, but no monitor.
>
> What terminology would you use to describe it?

While I'm not Lars, I strongly bring up the differences between an
appliance and a PC based system.

I would call IPCop, running on any PC, no matter how limited the PC is,
a personal firewall. IPCop is about as close to a appliance as you can
get without being an appliance, it's a very good choice for a limited
firewall that is also secure.

The key thing with IPCop is not having anything available other than the
firewall config - nothing else can run on it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
August 6, 2004 6:48:08 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos <void@nowhere.com> wrote in news:MPG.1b7c997bbdeb0ac098a875@news-
server.columbus.rr.com:

> In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
> 2fiddles.com says...
>> I have IPCop running on an old PC box. It has a keyboard and a mouse
>> attached, but no monitor.
>>
>> What terminology would you use to describe it?
>
> While I'm not Lars, I strongly bring up the differences between an
> appliance and a PC based system.
>
> I would call IPCop, running on any PC, no matter how limited the PC is,
> a personal firewall. IPCop is about as close to a appliance as you can
> get without being an appliance, it's a very good choice for a limited
> firewall that is also secure.

But it's not really a *personal* firewall if I'm putting it on a seperate
box between the switch and the DSL modem (when there's an entire office on
the switch. I am using it in part (as a network administrator of sorts) to
control what other people in the office can do (at my employer's request).

Bob


--
Delete the inverse SPAM to reply
Anonymous
a b 8 Security
August 6, 2004 7:03:17 AM

Archived from groups: comp.security.firewalls (More info?)

In article <Xns953CE880345A9bobatcarolnet@207.69.154.205>, usenetMAPS@
2fiddles.com says...
> Leythos <void@nowhere.com> wrote in news:MPG.1b7c997bbdeb0ac098a875@news-
> server.columbus.rr.com:
>
> > In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
> > 2fiddles.com says...
> >> I have IPCop running on an old PC box. It has a keyboard and a mouse
> >> attached, but no monitor.
> >>
> >> What terminology would you use to describe it?
> >
> > While I'm not Lars, I strongly bring up the differences between an
> > appliance and a PC based system.
> >
> > I would call IPCop, running on any PC, no matter how limited the PC is,
> > a personal firewall. IPCop is about as close to a appliance as you can
> > get without being an appliance, it's a very good choice for a limited
> > firewall that is also secure.
>
> But it's not really a *personal* firewall if I'm putting it on a seperate
> box between the switch and the DSL modem (when there's an entire office on
> the switch. I am using it in part (as a network administrator of sorts) to
> control what other people in the office can do (at my employer's request).

As long as we can agree that the system is doing nothing other than
acting as a firewall, that no-one is/can install anything on it, and
that the rules/app has been certified by some recognised standard, then,
while not an appliance, it is the same type of install as Checkpoint's
FW-1 system (which also runs on a stripped down nix version). Next to an
appliance, the above is the best you can get.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
August 6, 2004 11:59:11 AM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh

>
>I have IPCop running on an old PC box. It has a keyboard and a mouse
>attached, but no monitor.
>
>What terminology would you use to describe it?
>

Well, it's not an appliance. It's a standard PC running fairly standard
OS with a software firewall on it. That doesn't make it much different
from a Windows computer running Checkpoint...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
August 8, 2004 6:56:04 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:ehs6h09a66jto25pck1svvbrv4ae74429e@4ax.com:

> On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh
>
>>
>>I have IPCop running on an old PC box. It has a keyboard and a mouse
>>attached, but no monitor.
>>
>>What terminology would you use to describe it?
>>
>
> Well, it's not an appliance. It's a standard PC running fairly standard
> OS with a software firewall on it. That doesn't make it much different
> from a Windows computer running Checkpoint...

Maybe a little? If it was a Windows computer, people would be tempted to
use it for other purposes. At least in our office... And Windows seems to
have a lot more if, ands, and buts.

Bob

--
Delete the inverse SPAM to reply
Anonymous
a b 8 Security
August 8, 2004 12:07:22 PM

Archived from groups: comp.security.firewalls (More info?)

On Sun, 08 Aug 2004 02:56:04 GMT, bob spoketh

>Lars M. Hansen <badnews@hansenonline.net> wrote in
>news:ehs6h09a66jto25pck1svvbrv4ae74429e@4ax.com:
>
>> On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh
>>
>>>
>>>I have IPCop running on an old PC box. It has a keyboard and a mouse
>>>attached, but no monitor.
>>>
>>>What terminology would you use to describe it?
>>>
>>
>> Well, it's not an appliance. It's a standard PC running fairly standard
>> OS with a software firewall on it. That doesn't make it much different
>> from a Windows computer running Checkpoint...
>
>Maybe a little? If it was a Windows computer, people would be tempted to
>use it for other purposes. At least in our office... And Windows seems to
>have a lot more if, ands, and buts.
>
>Bob

If someone tried to use our firewall (windows with Symantec Enterprise
Firewall) for anything other than firewall related, I would take them
out back and shoot them...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
a b 8 Security
August 8, 2004 4:10:08 PM

Archived from groups: comp.security.firewalls (More info?)

In article <7q5ch01avcvc0mhl7g4derqskbj506b162@4ax.com>,
badnews@hansenonline.net says...
> If someone tried to use our firewall (windows with Symantec Enterprise
> Firewall) for anything other than firewall related, I would take them
> out back and shoot them...

Lars - this is what separates people that understand firewalls from
people that are not security professionals. Everyone that doesn't
believe in the above is just a wanna-be or someone just trolling.

It's still amazing at how many places I can go to, for an assessment,
that are running something on their firewall in addition to the
firewall. What's more amazing is how many people have access to the
firewall system "in case we need to open a port for something" :) 

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!