Hardware vs Software Firewall - Pros and Cons?

Archived from groups: comp.security.firewalls (More info?)

I am running Norton Internet Security Personal Firewall - but was
wondering - would security, speed, and memory requirements be any better
using a router with a hardware firewall?
36 answers Last reply
More about hardware software firewall pros cons
  1. Archived from groups: comp.security.firewalls (More info?)

    If you're talking about using a NAT router like the popular Lynksis,
    D-link..... as a "hardware firewall" you would get more speed, BUT those
    security systems are only good for keeping bad traffic out they don't stop
    programs like torjan horse, keyloggers etc from communicating out to the
    Internet. A solution involving both your Norton software and a NAT router
    would be best.


    "Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    > I am running Norton Internet Security Personal Firewall - but was
    > wondering - would security, speed, and memory requirements be any better
    > using a router with a hardware firewall?
    >
    >
    >
  2. Archived from groups: comp.security.firewalls (More info?)

    "Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    > I am running Norton Internet Security Personal Firewall - but was
    > wondering - would security, speed, and memory requirements be any better
    > using a router with a hardware firewall?

    Yes! Freeing up your computer to do your computing and leaving firewalls to
    other hardware devices will definately improve your system's performance.
    BTW, I use only a NAT router and a good AV program and my network is up 24/7
    without issue. Safe computing is the best defense.
  3. Archived from groups: comp.security.firewalls (More info?)

    Paris wrote:

    > If you're talking about using a NAT router like the popular Lynksis,
    > D-link..... as a "hardware firewall" you would get more speed, BUT those
    > security systems are only good for keeping bad traffic out they don't stop
    > programs like torjan horse, keyloggers etc from communicating out to the
    > Internet.

    Neither do Personal Firewalls stop malware.

    > A solution involving both your Norton software and a NAT router
    > would be best.

    A solution involving a skilled user *is* best.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind.
    from 'Not one of us', (c) 1980 Peter Gabriel
  4. Archived from groups: comp.security.firewalls (More info?)

    Maybe in this specific case a life and a girlfriend would be "best"
    ;-0
    "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
    news:ccuvtf$ff0$3@news.shlink.de...
    > Paris wrote:
    >
    > > If you're talking about using a NAT router like the popular Lynksis,
    > > D-link..... as a "hardware firewall" you would get more speed, BUT
    those
    > > security systems are only good for keeping bad traffic out they don't
    stop
    > > programs like torjan horse, keyloggers etc from communicating out to the
    > > Internet.
    >
    > Neither do Personal Firewalls stop malware.
    >
    > > A solution involving both your Norton software and a NAT router
    > > would be best.
    >
    > A solution involving a skilled user *is* best.
    >
    > Wolfgang
    > --
    > A foreign body and a foreign mind
    > never welcome in the land of the blind.
    > from 'Not one of us', (c) 1980 Peter Gabriel
  5. Archived from groups: comp.security.firewalls (More info?)

    yes, it would. Hardwaer based firewalls are designed to handle these
    specific areas of operation and do this faster than software based fws.
    However, they are also more expensive

    "Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    > I am running Norton Internet Security Personal Firewall - but was
    > wondering - would security, speed, and memory requirements be any better
    > using a router with a hardware firewall?
    >
    >
    >
  6. Archived from groups: comp.security.firewalls (More info?)

    A hardware firewall, like a router, protects against incoming.
    It doesn't prevent outgoing; whereas a good software firewall will do
    both.

    On Mon, 19 Jul 2004 16:21:11 +0200, "Observer" <abc@def.com> wrote:

    >yes, it would. Hardwaer based firewalls are designed to handle these
    >specific areas of operation and do this faster than software based fws.
    >However, they are also more expensive
    >
    >"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    >news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    >> I am running Norton Internet Security Personal Firewall - but was
    >> wondering - would security, speed, and memory requirements be any better
    >> using a router with a hardware firewall?
    >>
    >>
    >>
    >
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <p0vnf0pfojnpn6h5h8pc2qtglle6ba3a5c@4ax.com>, Nobody You Need
    To Know <> says...
    > A hardware firewall, like a router, protects against incoming.
    > It doesn't prevent outgoing; whereas a good software firewall will do
    > both.

    A router is NOT a firewall, you can't suggest that a ROUTER is a
    firewall. A hardware firewall WILL block outbound and inbound
    connections based on defined rule sets. If you had said "A ROUTER, not
    like a firewall, does not limit outbound" then you would have been on
    the right track.

    In most cases, many of the new routers provide the ability to block
    outbound by port (or port range), but many do not, and that does NOT
    make them a firewall by definition. None of the routers I've seen and
    determine type of traffic, only block ports.

    NOTE: ANY hardware firewall blocks in BOTH directions. Routers are just
    simple network translation devices that are over-hyped by marketing
    types as Firewalls.

    A good software firewall, running on a personal computer, is very easily
    compromised by the owner of the computer as the are very often required
    to answer questions about permitting services/applications from
    accessing in/out bound ports. Most users, the non-technical ones, that
    don't have more than one computer, end up allowing their entire private
    lan to be trusted, which is the same as not having a personal firewall.

    > On Mon, 19 Jul 2004 16:21:11 +0200, "Observer" <abc@def.com> wrote:
    >
    > >yes, it would. Hardwaer based firewalls are designed to handle these
    > >specific areas of operation and do this faster than software based fws.
    > >However, they are also more expensive
    > >
    > >"Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    > >news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    > >> I am running Norton Internet Security Personal Firewall - but was
    > >> wondering - would security, speed, and memory requirements be any better
    > >> using a router with a hardware firewall?
    > >>
    > >>
    > >>
    > >
    >
    >

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  8. Archived from groups: comp.security.firewalls (More info?)

    Nobody You Need To Know wrote:
    >
    > A hardware firewall, like a router, protects against incoming.
    > It doesn't prevent outgoing; whereas a good software firewall will do
    > both.

    Which hardware "firewall" can't do egress filtering?

    Thor

    --
    http://www.anta.net/
  9. Archived from groups: comp.security.firewalls (More info?)

    Nobody You Need To Know <> wrote in
    news:p0vnf0pfojnpn6h5h8pc2qtglle6ba3a5c@4ax.com:

    > A hardware firewall, like a router, protects against incoming.
    > It doesn't prevent outgoing; whereas a good software firewall will do
    > both.
    >

    In the link, it explains a network FW which FW appliances and some
    routers do meet the requirements.

    There are a few other things in the link you may want to learn about FW
    (s) hardware and software.

    http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html

    Duane :)
  10. Archived from groups: comp.security.firewalls (More info?)

    I'm sorry but I consider this threat a nonsense. What is a hardware
    firewall? In computing since 70s the hardware runs software and it is the
    software the one to perform a task... like being a firewall.

    So? Again... what a hardware firewall is? Is CISCO PIX a hardware firewall?
    CISCO PIX 515e is an Intel 486 hardware. Any diference with a Intel 486
    rackable PC? They (CISCO) run something like IOS firewall. The PC can run
    many FW software.

    What about the appliances tha run a tyne Linux distro tu run firewall? Are
    they hard or soft? A full nonsense.

    So the question could be... what fw is best? That's all.

    Best Regards,
    Fidelio


    > "Greg" <rezlab_nospam@sbcglobal.net> wrote in message
    > news:6eyIc.9810$nh1.9702@newssvr25.news.prodigy.com...
    > > I am running Norton Internet Security Personal Firewall - but was
    > > wondering - would security, speed, and memory requirements be any better
    > > using a router with a hardware firewall?
  11. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 20 Jul 2004 09:26:57 +0200, Fidelio spoketh

    >I'm sorry but I consider this threat a nonsense. What is a hardware
    >firewall? In computing since 70s the hardware runs software and it is the
    >software the one to perform a task... like being a firewall.
    >
    >So? Again... what a hardware firewall is? Is CISCO PIX a hardware firewall?
    >CISCO PIX 515e is an Intel 486 hardware. Any diference with a Intel 486
    >rackable PC? They (CISCO) run something like IOS firewall. The PC can run
    >many FW software.
    >
    >What about the appliances tha run a tyne Linux distro tu run firewall? Are
    >they hard or soft? A full nonsense.
    >
    >So the question could be... what fw is best? That's all.
    >
    >Best Regards,
    >Fidelio
    >

    "Hardware firewall" has become (like it or not) synonymous with firewall
    appliance. Now the problem is how to define a firewall appliance ...

    The way I try to put it is: A firewall appliance is a dedicated unit
    that does not run a user-oriented operating system, has no regular
    computer connections (ie keyboard, mouse, monitor) other than ethernet
    and a console/serial port, and it's only task is to work as a firewall.

    That makes Pix a firewall appliance, as well as all the watchguards,
    sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    meet these criteria.

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  12. Archived from groups: comp.security.firewalls (More info?)

    Fidelio wrote:

    > What is a hardware
    > firewall? In computing since 70s the hardware runs software and it is the
    > software the one to perform a task... like being a firewall.

    You're right - the terms "hardware firewall" and "software firewall" are
    technically incorrect. However, it is obvious that there is a need to
    distinguish between workstation software such as ICF, Sygate or Tiny, and,
    OTOH, external, dedicated firewalls.

    > What about the appliances tha run a tyne Linux distro tu run firewall? Are
    > they hard or soft?

    From a penetrability viewpoint, probably the greatest difference is that
    Linux firewalls often are used to protect other hosts, whereas Windows
    "software firewalls" are typically used to protect only the workstation they
    are running on.

    Two important questions to ask are:

    - can the firewall be axiomatically compromised by obtaining superuser
    access on a/the host it protects?

    - is the firewall always able to map connection attempts to specific
    processes?

    Maybe you would like to write a draft specification of which terminology
    should be universally adopted.

    Thor

    --
    http://www.anta.net/
  13. Archived from groups: comp.security.firewalls (More info?)

    In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
    badnews@hansenonline.net says...
    > "Hardware firewall" has become (like it or not) synonymous with firewall
    > appliance. Now the problem is how to define a firewall appliance ...
    >
    > The way I try to put it is: A firewall appliance is a dedicated unit
    > that does not run a user-oriented operating system, has no regular
    > computer connections (ie keyboard, mouse, monitor) other than ethernet
    > and a console/serial port, and it's only task is to work as a firewall.
    >
    > That makes Pix a firewall appliance, as well as all the watchguards,
    > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    > meet these criteria.

    Very good example Lars - I'll have to remember this in the fight to
    explain the different to people that are either trolls or just want to
    argue.

    One other thing I use to separate "appliances" from non-appliances - can
    you install any other (non-firewall) application on the device, if you
    can, then it's not a firewall appliance. I can't think of one appliance
    that I could install MS Office or SendMail on.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  14. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b66d3cb97a0967f98a7bb@news-server.columbus.rr.com...
    > In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
    > badnews@hansenonline.net says...
    > > "Hardware firewall" has become (like it or not) synonymous with firewall
    > > appliance. Now the problem is how to define a firewall appliance ...
    > >
    > > The way I try to put it is: A firewall appliance is a dedicated unit
    > > that does not run a user-oriented operating system, has no regular
    > > computer connections (ie keyboard, mouse, monitor) other than ethernet
    > > and a console/serial port, and it's only task is to work as a firewall.
    > >
    > > That makes Pix a firewall appliance, as well as all the watchguards,
    > > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    > > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    > > meet these criteria.
    >
    > Very good example Lars - I'll have to remember this in the fight to
    > explain the different to people that are either trolls or just want to
    > argue.
    >
    > One other thing I use to separate "appliances" from non-appliances - can
    > you install any other (non-firewall) application on the device, if you
    > can, then it's not a firewall appliance. I can't think of one appliance
    > that I could install MS Office or SendMail on.
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)

    I'm not familiar with "hardware firewalls", never having used one. The term
    appliance seems a little awkward, but any way that you describe it, it would
    necessarily have to be software driven. The only question I would have
    would be the updating of the software in the "appliance" (hardware
    firewall). How often is this updated and how? Thinking further, I used a
    2Wire DSL interface for a while a couple of years ago. Would this be
    classified as a "hardware firewall/appliance" that is being talked about?

    DDDD
  15. Archived from groups: comp.security.firewalls (More info?)

    In article <3d92b$40fd0d2c$45234d07$26840@allthenewsgroups.com>,
    someone@some.one says...
    >
    > "Leythos" <void@nowhere.com> wrote in message
    > news:MPG.1b66d3cb97a0967f98a7bb@news-server.columbus.rr.com...
    > > In article <g7vpf0tr6sfr45kdrqlbllbmh4fbfqm1ig@4ax.com>,
    > > badnews@hansenonline.net says...
    > > > "Hardware firewall" has become (like it or not) synonymous with firewall
    > > > appliance. Now the problem is how to define a firewall appliance ...
    > > >
    > > > The way I try to put it is: A firewall appliance is a dedicated unit
    > > > that does not run a user-oriented operating system, has no regular
    > > > computer connections (ie keyboard, mouse, monitor) other than ethernet
    > > > and a console/serial port, and it's only task is to work as a firewall.
    > > >
    > > > That makes Pix a firewall appliance, as well as all the watchguards,
    > > > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    > > > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    > > > meet these criteria.
    > >
    > > Very good example Lars - I'll have to remember this in the fight to
    > > explain the different to people that are either trolls or just want to
    > > argue.
    > >
    > > One other thing I use to separate "appliances" from non-appliances - can
    > > you install any other (non-firewall) application on the device, if you
    > > can, then it's not a firewall appliance. I can't think of one appliance
    > > that I could install MS Office or SendMail on.
    > >
    > > --
    > > --
    > > spamfree999@rrohio.com
    > > (Remove 999 to reply to me)
    >
    > I'm not familiar with "hardware firewalls", never having used one. The term
    > appliance seems a little awkward, but any way that you describe it, it would
    > necessarily have to be software driven. The only question I would have
    > would be the updating of the software in the "appliance" (hardware
    > firewall). How often is this updated and how? Thinking further, I used a
    > 2Wire DSL interface for a while a couple of years ago. Would this be
    > classified as a "hardware firewall/appliance" that is being talked about?

    The appliances are updated either through a serial port or through the
    GUI provided by the vendor. All firewalls, as well as most computing
    devices, are driven by some type of firmware or software. In the case of
    an appliance, it's mostly firmware (something contained in a re-
    programmable chip) that is loaded by a boot-block of code. The firmware
    method only allows the updating with the same type of firmware - meaning
    that I could not load OS2 in my Firewalls firmware and end up with an
    OS2 computer.

    The appliance route is a dedicated device that can not be used for
    anything else (notice, I didn't say "is not used for anything else").

    In the case of the WatchGuard firewalls, I have a vendor provided
    application suite that runs on a computer, it interfaces with the
    firewall over specific ports/protocols. The interface lets me monitor,
    change rules, update firmware, etc...

    The DSL router that you are provided (or Cable Modem) by your ISP is
    considered a "hardware" appliance, as is your managed network switch,
    your managed network aware tape vault. Your network switch (unmanaged)
    is considered to be just hardware.

    About 5 years ago the marketing types decided to start pushing Routers
    with NAT as firewalls, they only offered inbound blocking, not because
    of firewall rules, but, because of the way that NAT works. Routers that
    provide NAT are not firewalls, they are routers. Sure, you can update
    the firmware in them, but they are just routers - some of them are nicer
    than others and provide some enhanced features, but, they are still just
    routers.

    A software firewall is something that gets installed on a
    Computer/Server/Workstation that MAY also have other software installed
    on it - even if it doesn't have anything other than an OS and the
    application, it's still a software firewall (based on what we're
    discussing here). In the early days I used a Windows NT box with Sygate
    and two NIC's as a dedicated solution - it was a NAT/Proxy type
    solution. I considered it to be just NAT/Proxy and nothing more, and not
    an appliance, it was a software solution.

    If I install ISA (MS's Firewall) on a dedicated computer, just for
    acting as a firewall, it's still not an appliance, it's just a software
    firewall (much like NIS or ZoneAlarm or the others).


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  16. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh

    >
    >If I install ISA (MS's Firewall) on a dedicated computer, just for
    >acting as a firewall, it's still not an appliance, it's just a software
    >firewall (much like NIS or ZoneAlarm or the others).
    >

    Perhaps it would be a better idea to compare ISA to another network
    firewall such as Checkpoint or Symantec Enterprise Firewall rather than
    a desktop security suite...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  17. Archived from groups: comp.security.firewalls (More info?)

    In article <scsqf01u3fks0d7ldngafo680udfa3al47@4ax.com>,
    badnews@hansenonline.net says...
    > On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh
    >
    > >
    > >If I install ISA (MS's Firewall) on a dedicated computer, just for
    > >acting as a firewall, it's still not an appliance, it's just a software
    > >firewall (much like NIS or ZoneAlarm or the others).
    > >
    >
    > Perhaps it would be a better idea to compare ISA to another network
    > firewall such as Checkpoint or Symantec Enterprise Firewall rather than
    > a desktop security suite...

    Yes, that's more like ISA, and to be fair, I don't really expect any of
    the home/soho users to install ISA, FW1 or SEF on their computers. I
    guess I was being to literal.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  18. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 20 Jul 2004 20:00:42 GMT, Leythos spoketh

    >In article <scsqf01u3fks0d7ldngafo680udfa3al47@4ax.com>,
    >badnews@hansenonline.net says...
    >> On Tue, 20 Jul 2004 12:35:03 GMT, Leythos spoketh
    >>
    >> >
    >> >If I install ISA (MS's Firewall) on a dedicated computer, just for
    >> >acting as a firewall, it's still not an appliance, it's just a software
    >> >firewall (much like NIS or ZoneAlarm or the others).
    >> >
    >>
    >> Perhaps it would be a better idea to compare ISA to another network
    >> firewall such as Checkpoint or Symantec Enterprise Firewall rather than
    >> a desktop security suite...
    >
    >Yes, that's more like ISA, and to be fair, I don't really expect any of
    >the home/soho users to install ISA, FW1 or SEF on their computers. I
    >guess I was being to literal.
    >
    >--

    unless they buy Windows SBS 2003 server, they're not likely to install
    ISA either...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  19. Archived from groups: comp.security.firewalls (More info?)

    > I'm not familiar with "hardware firewalls", never having used one. The term
    > appliance seems a little awkward, but any way that you describe it, it would
    > necessarily have to be software driven. The only question I would have
    > would be the updating of the software in the "appliance" (hardware
    > firewall). How often is this updated and how? Thinking further, I used a
    > 2Wire DSL interface for a while a couple of years ago. Would this be
    > classified as a "hardware firewall/appliance" that is being talked about?
    >
    > DDDD

    A hardware firewall is one that looks kinda like a router (a box) that
    sits on ur desk. the internet connection from the DSL hub goes through
    this (in and then out) and to the router or hub, which splits ur
    connections for all of your computers. this is running all of the time
    on every connection sent in and out. expenseive ones even have POP3
    scanning.

    If anybody finds any good hardware firewall that is under $400 let me
    know. thanks a lot.

    peace
  20. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
    <badnews@hansenonline.net> wrote:


    >
    >unless they buy Windows SBS 2003 server, they're not likely to install
    >ISA either...
    >

    ISA runs just fine on server 2k and above.


    greg

    --
    Konnt ihr mich horen?
    Konnt ihr mich sehen?
    Konnt ihr mich fuhlen?
    Ich versteh euch nicht
  21. Archived from groups: comp.security.firewalls (More info?)

    In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net
    says...
    > On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
    > <badnews@hansenonline.net> wrote:
    >
    >
    > >
    > >unless they buy Windows SBS 2003 server, they're not likely to install
    > >ISA either...
    > >
    >
    > ISA runs just fine on server 2k and above.

    Yea, but the only people I see with ISA are the ones running SBS. There
    are so many better options out there that there is no real good reason
    to run ISA.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  22. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 21 Jul 2004 12:09:01 GMT, Leythos <void@nowhere.com> wrote:

    >In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net

    >> ISA runs just fine on server 2k and above.
    >
    >Yea, but the only people I see with ISA are the ones running SBS. There
    >are so many better options out there that there is no real good reason
    >to run ISA.
    >

    Take a look at ISA 2004, its a significant improvement on what MS has
    laughingly called a firewall previously.

    The centralised management and L7 inspection is very impressive.


    greg


    --
    Konnt ihr mich horen?
    Konnt ihr mich sehen?
    Konnt ihr mich fuhlen?
    Ich versteh euch nicht
  23. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 21 Jul 2004 09:55:14 +0100, Greg Hennessy spoketh

    >On Tue, 20 Jul 2004 18:13:13 -0400, Lars M. Hansen
    ><badnews@hansenonline.net> wrote:
    >
    >
    >>
    >>unless they buy Windows SBS 2003 server, they're not likely to install
    >>ISA either...
    >>
    >
    >ISA runs just fine on server 2k and above.
    >
    >
    >greg

    I wasn't trying to imply that it didn't work with anything else, merely
    that ISA server comes with the SBS package (at least one of them), and I
    can see that if someone want to set up just a small site, then that
    might be a good avenue...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  24. Archived from groups: comp.security.firewalls (More info?)

    I tested the beta release of ISA 2004 and I agree is very impressive
    product. Anyway I could add that this new ISA MUST be installed over Windows
    2003 Server not over 2000. And Microsoft took long time to produce the SP1
    for W2003 so this makes ISA 2004 unsafe if you are not very careful while
    installing W2003 and ISA.

    ISA 2004 is not a bad security product... the only problem is that is based
    over a operating system with serious problems on security...or I must say
    serious problem while configuring the security.

    I'm planning for my organization a solution of two firewall (sandwitch like)
    and the external one will be ISA 2004 almost for sure and the internal one
    will be the one I trust. I think this will give us a chance to test how
    strong is ISA 2004.

    Best Regards,
    Fidelio

    "Greg Hennessy" <me@privacy.net> escribió en el mensaje
    news:t4qsf096cm9k0g61elgpesbcdf8btbvug6@4ax.com...
    > On Wed, 21 Jul 2004 12:09:01 GMT, Leythos <void@nowhere.com> wrote:
    >
    > >In article <bd8sf095s8ls3e5klp2eq5be6916cc9lsu@4ax.com>, me@privacy.net
    >
    > >> ISA runs just fine on server 2k and above.
    > >
    > >Yea, but the only people I see with ISA are the ones running SBS. There
    > >are so many better options out there that there is no real good reason
    > >to run ISA.
    > >
    >
    > Take a look at ISA 2004, its a significant improvement on what MS has
    > laughingly called a firewall previously.
    >
    > The centralised management and L7 inspection is very impressive.
    >
    >
    >
    > greg
    >
    >
    > --
    > Konnt ihr mich horen?
    > Konnt ihr mich sehen?
    > Konnt ihr mich fuhlen?
    > Ich versteh euch nicht
  25. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 22 Jul 2004 07:55:37 +0200, "Fidelio" <Fidelio@arrakis.net> wrote:

    >I tested the beta release of ISA 2004 and I agree is very impressive
    >product. Anyway I could add that this new ISA MUST be installed over Windows
    >2003 Server not over 2000.

    I didn't have any problems running the beta on win2k server here.

    It can also in place upgrade ISA 2000 installations with the following
    limitations

    "If you install ISA Server on a Windows 2000 operating system, note the
    following functional differences:

    You cannot configure the L2TP IPSec preshared key.
    Quarantine mode for VPN clients is not supported when using RADIUS policy.
    All ISA Server services run using the local system account. "

    Personally I wouldn't terminate remote user VPNs on any firewall, not when
    there are excellent dedicated appliances such ciscos VPN concentrator 3k
    out there.


    >ISA 2004 is not a bad security product... the only problem is that is based
    >over a operating system with serious problems on security...or I must say
    >serious problem while configuring the security.

    Apply the patch punch lists and harden the box accordingly.

    No different than installing a commercial firewall product onto any other
    general purpose OS.

    The only GP OS I know of which doesn't require hardening before production
    is OpenBSD.

    >I'm planning for my organization a solution of two firewall (sandwitch like)
    >and the external one will be ISA 2004 almost for sure and the internal one
    >will be the one I trust. I think this will give us a chance to test how
    >strong is ISA 2004.


    As a packet filtering firewall, I am sure it'll work fine.


    greg
    --
    Konnt ihr mich horen?
    Konnt ihr mich sehen?
    Konnt ihr mich fuhlen?
    Ich versteh euch nicht
  26. Archived from groups: comp.security.firewalls (More info?)

    In article <e656619d.0407202253.635d27f6@posting.google.com>,
    need4speed850@yahoo.com says...
    > > I'm not familiar with "hardware firewalls", never having used one. The term
    > > appliance seems a little awkward, but any way that you describe it, it would
    > > necessarily have to be software driven. The only question I would have
    > > would be the updating of the software in the "appliance" (hardware
    > > firewall). How often is this updated and how? Thinking further, I used a
    > > 2Wire DSL interface for a while a couple of years ago. Would this be
    > > classified as a "hardware firewall/appliance" that is being talked about?
    > >
    > > DDDD
    >
    > A hardware firewall is one that looks kinda like a router (a box) that
    > sits on ur desk. the internet connection from the DSL hub goes through
    > this (in and then out) and to the router or hub, which splits ur
    > connections for all of your computers. this is running all of the time
    > on every connection sent in and out. expenseive ones even have POP3
    > scanning.
    >
    > If anybody finds any good hardware firewall that is under $400 let me
    > know. thanks a lot.

    WatchGuard has a SOHO unit for just under $400, but it's limited to 10
    internal IP for that price - you can purchase 25 more for about $90.
    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  27. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 20 Jul 2004 at 11:17 GMT, Lars M Hansen <badnews@hansenonline.net>
    spewed into the usenet group comp.security.firewalls:
    <snip>

    A late response, since I have been away from my computer for a few days.

    > "Hardware firewall" has become (like it or not) synonymous with firewall
    > appliance. Now the problem is how to define a firewall appliance ...
    >
    > The way I try to put it is: A firewall appliance is a dedicated unit
    > that does not run a user-oriented operating system, has no regular
    > computer connections (ie keyboard, mouse, monitor) other than ethernet
    > and a console/serial port, and it's only task is to work as a firewall.

    Hmmm, I would define a firewall "appliance" as a bastion host with a remote
    administration GUI/CLI fitted in a small form factor case.

    > That makes Pix a firewall appliance, as well as all the watchguards,
    > sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    > boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    > meet these criteria.

    How many of those are real firewalls? I mean those which act at layer 7, and
    not just fancy packet filters.

    A firewall is a security system which separates two or more networks with
    differing security requirements.
    All firewalls are software firewalls, not hardware. Firmware is still
    software. A hardware firewall would be etched in Silicon.

    (Layer n refers to the OSI model).

    A minimally useful firewall acts as a stateless packet filter.
    A slightly more useful firewall is one with layer 3 session tracking
    capabilities.

    A more buzzworded firewall is a stateful packet filter with deep inspection.

    A good firewall is one which understands the protocol, and actually
    validates the layer 7 data.

    My normal design for a firewall would be:

    Untrusted network ==>|| Packet filter ==> ALG || ==> more trusted network.

    The firewall sits between the ||. The ALG (Application Layer Gateway/Proxy)
    is per protocol and may be mapped to multiple hosts, depending on protocol
    and load). The packet filter just gets rids of the noise.
    All these systems sit on top of hardened bastion hosts and do nothing except
    filter traffic.

    Typically, an appliance is designed to be used by non experts. A TV is an
    appliance. A car is an appliance, as is a toaster. A PC is not an appliance.

    A firewall cannot be made into an appliance, because the purpose of a
    firewall is to implement a security policy, and this is different for every
    organisation/user. You do need to understand what you are doing when
    implementing a firewall. There is no substitute for user education and
    enlightenment.
    There is also no substitute for using hardened software on all internal
    nodes. A firewall is a bandage for insecure software, and avoiding the use
    of such software itself is a very large reduction in risk [1].

    Devdas "Just say no" Bhagat

    [1] I know software cannot be proven secure, but using software with a track
    record for good security is much better then using software without such a
    record. See Postfix/Qmail/Exim vs Exchange on the Internet, or Mozilla vs
    IE, or Mozilla/Thunderbird/Eudora vs Outlook/Outlook Express.
  28. Archived from groups: comp.security.firewalls (More info?)

    On 3 Aug 2004 19:19:38 GMT, Devdas Bhagat spoketh

    >
    >Hmmm, I would define a firewall "appliance" as a bastion host with a remote
    >administration GUI/CLI fitted in a small form factor case.

    Too broad. That would include any installation of Checkpoint and SEF
    running on a 1U or 2U box with Unix or Windows...

    >
    >> That makes Pix a firewall appliance, as well as all the watchguards,
    >> sonicwalls, the Nokia Checkpoint boxes and the Symantec gateway security
    >> boxes. Checkpoint installed on a 1U Windows (or Unix) server does not
    >> meet these criteria.
    >
    >How many of those are real firewalls? I mean those which act at layer 7, and
    >not just fancy packet filters.
    >

    Application proxies are not a requirement for it being a firewall. All
    of those are as real as firewalls gets. If you prefer application
    proxies, then that is your call.

    >All firewalls are software firewalls, not hardware. Firmware is still
    >software. A hardware firewall would be etched in Silicon.
    >

    A moot point. All hardware has software, including elevators. That
    doesn't make elevators software. "Hardware firewall" is a bad word, and
    I'm not advocating the use of that term, but rather "firewall
    appliance". However, the two terms have become synonymous in the popular
    media...


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  29. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:uguvg0l6jl0id2vdfrfeehd7hkpe5ujtnd@4ax.com:

    > On 3 Aug 2004 19:19:38 GMT, Devdas Bhagat spoketh
    >
    >>
    >>Hmmm, I would define a firewall "appliance" as a bastion host with a
    >>remote administration GUI/CLI fitted in a small form factor case.
    >
    > Too broad. That would include any installation of Checkpoint and SEF
    > running on a 1U or 2U box with Unix or Windows...
    >
    >>


    I have IPCop running on an old PC box. It has a keyboard and a mouse
    attached, but no monitor.

    What terminology would you use to describe it?

    For those who don't know, IPCop is a Linux distrobution that is designed
    specifically to be a firewall. It is 25Mb. Does not have any services
    that do not help it be a firewall (no sendmail, no FTP, no [...]).

    I use it more for outbound access control than security, btw. I block a
    variety of ports and IP addresses.

    Bob

    --
    Delete the inverse SPAM to reply
  30. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
    2fiddles.com says...
    > I have IPCop running on an old PC box. It has a keyboard and a mouse
    > attached, but no monitor.
    >
    > What terminology would you use to describe it?

    While I'm not Lars, I strongly bring up the differences between an
    appliance and a PC based system.

    I would call IPCop, running on any PC, no matter how limited the PC is,
    a personal firewall. IPCop is about as close to a appliance as you can
    get without being an appliance, it's a very good choice for a limited
    firewall that is also secure.

    The key thing with IPCop is not having anything available other than the
    firewall config - nothing else can run on it.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  31. Archived from groups: comp.security.firewalls (More info?)

    Leythos <void@nowhere.com> wrote in news:MPG.1b7c997bbdeb0ac098a875@news-
    server.columbus.rr.com:

    > In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
    > 2fiddles.com says...
    >> I have IPCop running on an old PC box. It has a keyboard and a mouse
    >> attached, but no monitor.
    >>
    >> What terminology would you use to describe it?
    >
    > While I'm not Lars, I strongly bring up the differences between an
    > appliance and a PC based system.
    >
    > I would call IPCop, running on any PC, no matter how limited the PC is,
    > a personal firewall. IPCop is about as close to a appliance as you can
    > get without being an appliance, it's a very good choice for a limited
    > firewall that is also secure.

    But it's not really a *personal* firewall if I'm putting it on a seperate
    box between the switch and the DSL modem (when there's an entire office on
    the switch. I am using it in part (as a network administrator of sorts) to
    control what other people in the office can do (at my employer's request).

    Bob


    --
    Delete the inverse SPAM to reply
  32. Archived from groups: comp.security.firewalls (More info?)

    In article <Xns953CE880345A9bobatcarolnet@207.69.154.205>, usenetMAPS@
    2fiddles.com says...
    > Leythos <void@nowhere.com> wrote in news:MPG.1b7c997bbdeb0ac098a875@news-
    > server.columbus.rr.com:
    >
    > > In article <Xns953CC9E7DDC64bobatcarolnet@207.69.154.205>, usenetMAPS@
    > > 2fiddles.com says...
    > >> I have IPCop running on an old PC box. It has a keyboard and a mouse
    > >> attached, but no monitor.
    > >>
    > >> What terminology would you use to describe it?
    > >
    > > While I'm not Lars, I strongly bring up the differences between an
    > > appliance and a PC based system.
    > >
    > > I would call IPCop, running on any PC, no matter how limited the PC is,
    > > a personal firewall. IPCop is about as close to a appliance as you can
    > > get without being an appliance, it's a very good choice for a limited
    > > firewall that is also secure.
    >
    > But it's not really a *personal* firewall if I'm putting it on a seperate
    > box between the switch and the DSL modem (when there's an entire office on
    > the switch. I am using it in part (as a network administrator of sorts) to
    > control what other people in the office can do (at my employer's request).

    As long as we can agree that the system is doing nothing other than
    acting as a firewall, that no-one is/can install anything on it, and
    that the rules/app has been certified by some recognised standard, then,
    while not an appliance, it is the same type of install as Checkpoint's
    FW-1 system (which also runs on a stripped down nix version). Next to an
    appliance, the above is the best you can get.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  33. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh

    >
    >I have IPCop running on an old PC box. It has a keyboard and a mouse
    >attached, but no monitor.
    >
    >What terminology would you use to describe it?
    >

    Well, it's not an appliance. It's a standard PC running fairly standard
    OS with a software firewall on it. That doesn't make it much different
    from a Windows computer running Checkpoint...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  34. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:ehs6h09a66jto25pck1svvbrv4ae74429e@4ax.com:

    > On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh
    >
    >>
    >>I have IPCop running on an old PC box. It has a keyboard and a mouse
    >>attached, but no monitor.
    >>
    >>What terminology would you use to describe it?
    >>
    >
    > Well, it's not an appliance. It's a standard PC running fairly standard
    > OS with a software firewall on it. That doesn't make it much different
    > from a Windows computer running Checkpoint...

    Maybe a little? If it was a Windows computer, people would be tempted to
    use it for other purposes. At least in our office... And Windows seems to
    have a lot more if, ands, and buts.

    Bob

    --
    Delete the inverse SPAM to reply
  35. Archived from groups: comp.security.firewalls (More info?)

    On Sun, 08 Aug 2004 02:56:04 GMT, bob spoketh

    >Lars M. Hansen <badnews@hansenonline.net> wrote in
    >news:ehs6h09a66jto25pck1svvbrv4ae74429e@4ax.com:
    >
    >> On Thu, 05 Aug 2004 23:47:41 GMT, bob spoketh
    >>
    >>>
    >>>I have IPCop running on an old PC box. It has a keyboard and a mouse
    >>>attached, but no monitor.
    >>>
    >>>What terminology would you use to describe it?
    >>>
    >>
    >> Well, it's not an appliance. It's a standard PC running fairly standard
    >> OS with a software firewall on it. That doesn't make it much different
    >> from a Windows computer running Checkpoint...
    >
    >Maybe a little? If it was a Windows computer, people would be tempted to
    >use it for other purposes. At least in our office... And Windows seems to
    >have a lot more if, ands, and buts.
    >
    >Bob

    If someone tried to use our firewall (windows with Symantec Enterprise
    Firewall) for anything other than firewall related, I would take them
    out back and shoot them...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  36. Archived from groups: comp.security.firewalls (More info?)

    In article <7q5ch01avcvc0mhl7g4derqskbj506b162@4ax.com>,
    badnews@hansenonline.net says...
    > If someone tried to use our firewall (windows with Symantec Enterprise
    > Firewall) for anything other than firewall related, I would take them
    > out back and shoot them...

    Lars - this is what separates people that understand firewalls from
    people that are not security professionals. Everyone that doesn't
    believe in the above is just a wanna-be or someone just trolling.

    It's still amazing at how many places I can go to, for an assessment,
    that are running something on their firewall in addition to the
    firewall. What's more amazing is how many people have access to the
    firewall system "in case we need to open a port for something" :)

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Hardware Security Networking Product