OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [fw-wiz] Differences between firewall-packages like FW-1 and packetfilter
From: Ejovi Nuwere (ejoviejovi.net)
Date: Mon May 22 2000 - 11:20:28 CDT

When asked I have always explained it like this.

You dont need a commercial firewall if:
1) You have less then 30 users (worth the investment for a small company?)
2) You do not have partners or remote officies (no need for a vpn?)
3) You have staff members familiar with packet filtering products

Of course, this is extremely simplified but these three rules of thumb
(combined) can save a company any where between 10k-15k for software,
hardware, training and such.

e.

On Fri, 19 May 2000 arkeltex.ru wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> nuqneH,
>
> Too bad expensive does not mean good too.
> There are many good free things and quite a few commercial ones that
> are worth money they cost.
>
> "Omar Fahnbulleh" <Otariqbellatlantic.net> said :
>
> > IN this business being CHEAP is not good. FREE is not good. Spend the money.
> >
> > -----Original Message-----
> > From: owner-firewall-wizardslists.nfr.net
> > [mailto:owner-firewall-wizardslists.nfr.net]On Behalf Of arkeltex.ru
> > Sent: Monday, May 15, 2000 2:58 PM
> > To: andreaspretzsch.de
> > Cc: firewall-wizardsnfr.net
> > Subject: Re: [fw-wiz] Differences between firewall-packages like FW-1
> > and packetfilter
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > nuqneH,
> >
> > Andreas Pretzsch <andreaspretzsch.de> said :
> >
> > > I looked at some firewall-packages like FW-1 and I just don't see THE
> > > big difference to a packet filter like in Linux 2.2/2.3 combined
> > > with some GUI and some logfile-parser.
> > > Taking a closer look at the packet filter in later Linux 2.3.x (or to be
> > > more precise, the interface to it, iptables), I have the feeling this
> > > packet filter includes everything you could do with ip-packets and the
> > > typical protocols based on it. Same applies to the protocol-level-filters
> > > avivable.
> > > For me this raises two questions:
> > >
> > > What advantages could I get from buying a tool like FW-1 instead of
> > > using a glued-together solution based on iptables, a gui and a few
> > > reporting-scripts ?
> >
> > Saving your time. FW-1 is not a good choice if you need a flexible
> > solurtion, though,
> >
> > Proxy-based firewalls can provide you better control and monitoring,
> > though.
> >
> > > Is there anything FW-1 (or other packages like Gauntlet) could do for
> > > me the upper solution can't ?
> >
> > Yes. You did not mention VPN, authentication,content inspection and
> > application-level control. And saving your time, again.
> >
> > > Let me make one restriction: I'm only talking about small and simple
> > > firewalls, not the huge thing altavista might need ...
> > >
> > > My typical scenario:
> > > A small network with a few Win-boxes in it, perhaps a few unices
> > > too. They should be connected to the internet, mostly with masquerading,
> > > over a linux-box, which is often running a mailserver (qmail) too.
> > > In some cases there a few more things on the linux-box, like an apache
> > > or a squid.
> > > None of these networks needs really high-level-protection, as they are
> > > of a small local bicycle-seller or so.
> > >
> > > A less typical scenario:
> > > There is a DMZ with static IPs, routing a few systems (mostly NT-boxes
> > > with proprietary software on it) to the net. All other things like
> > > scenario 1.
> > >
> > > Of course I'm using two physically different networks when possible,
> > > but what could do a commercial firewall-package to me what I can't do
> > > by hand ? I mean, beside the task of glueing things together ?
> >
> > Maybe you don't really _need_ commercial firewall package, but it depends
> > on how much does your time cost and what level of comfort and manageability
> > do you expect from the working system.
> >
> > > BTW, I looked at some scripts for building packet filters and at
> > > some predefined rule sets, but every script I looked at kills the
> > > one or other packet defeating this-and-this attack, but none is
> > > complete, or even near to complete.
> >
> > Concatenate, then ;)
> >
> > > Isn't there something doing the right thing (tm) for a typical
> > > scenario ? Why use a commercial packet if I have to do it by hand
> > > even with such a product ?
> >
> > Some commercial products let you do what you need more efficient way.
> > Another ones do what developers think you need for you. It depends on
> > your choice and how much do you know about the things inside.
>
>
> _ _ _ _ _ _ _
> {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
> (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
> [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQCVAwUBOST7d6H/mIJW9LeBAQHZCgP/eVaqPngFBzbyylWfzaiXbhPg6MeNBg7B
> EvtnUYSGQ39lkbX4JUhtpThQarsI6d567kvvegBVWzJUYBEoBwT8Z018vy9UCbgU
> IkQvOx9ogBjk8vtLutJmC3yb9EQ6RmSviDPF23KvxIUhzDeWMRCQqnbfRmJDSkM/
> 8FGMeGOzTi8=
> =iz6g
> -----END PGP SIGNATURE-----
>