OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [fw-wiz] Differences between firewall-packages like FW-1 and packetfilter
From: arkeltex.ru
Date: Tue May 23 2000 - 05:11:11 CDT

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

1) It depends. You can have less than 30 users and pretty sensitive data
inside.

2) It was true some years ago. Modern free unices do usually have vpn
functionality built-in or really easy to install.

3) ..and maybe proxy software?

There is a big problem with commercial firewalls because of two
totally different approaches - the developer can make:

1) ("The Right Way"): a tool that allows skilled security administrator
to do things he need much more easy and faster than he can do with freeware
thingies

2) ("The Wrong Way"): a magic box with 2 or 3 network interfaces and
big button with "protect me!" label on it that does things relatively
close to what most customers need.

Unfortunately the 2) option provides more sales and more profit so most
firewall vendors go that way. And - for some reasons that can be subject
of separate discussion - those ways are totally incompatible. Too bad but
it looks like Gauntlet shifted from 1) to 2) with NAI. It _is_ still a
good tool, though, but i think they will fix it :-/

P.S. Firewall comparisons makes me sick - all of them (except, maybe, the
one from mitten.ie.org that has gone offline forever - really no one here
has a copy?) show the domination of The Wrong Way. "All the systems we
tested are secure - we ran ISS against them and it reported no
vulnerabilities", "This one looks like the best - it takes 15 minutes to
install and configure it" "GUI is really easy to use" "We failed to
install product X in our test labs" (hell, that idiots do testing for me!?)
and so on. Bwarf.

Ejovi Nuwere <ejoviejovi.net> said :

>
> When asked I have always explained it like this.
>
> You dont need a commercial firewall if:
> 1) You have less then 30 users (worth the investment for a small company?)
> 2) You do not have partners or remote officies (no need for a vpn?)
> 3) You have staff members familiar with packet filtering products
>
> Of course, this is extremely simplified but these three rules of thumb
> (combined) can save a company any where between 10k-15k for software,
> hardware, training and such.
>
> e.
>
>
>
> On Fri, 19 May 2000 arkeltex.ru wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > nuqneH,
> >
> > Too bad expensive does not mean good too.
> > There are many good free things and quite a few commercial ones that
> > are worth money they cost.
> >
> > "Omar Fahnbulleh" <Otariqbellatlantic.net> said :
> >
> > > IN this business being CHEAP is not good. FREE is not good. Spend the money.
> > >
> > > -----Original Message-----
> > > From: owner-firewall-wizardslists.nfr.net
> > > [mailto:owner-firewall-wizardslists.nfr.net]On Behalf Of arkeltex.ru
> > > Sent: Monday, May 15, 2000 2:58 PM
> > > To: andreaspretzsch.de
> > > Cc: firewall-wizardsnfr.net
> > > Subject: Re: [fw-wiz] Differences between firewall-packages like FW-1
> > > and packetfilter
> > >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > nuqneH,
> > >
> > > Andreas Pretzsch <andreaspretzsch.de> said :
> > >
> > > > I looked at some firewall-packages like FW-1 and I just don't see THE
> > > > big difference to a packet filter like in Linux 2.2/2.3 combined
> > > > with some GUI and some logfile-parser.
> > > > Taking a closer look at the packet filter in later Linux 2.3.x (or to be
> > > > more precise, the interface to it, iptables), I have the feeling this
> > > > packet filter includes everything you could do with ip-packets and the
> > > > typical protocols based on it. Same applies to the protocol-level-filters
> > > > avivable.
> > > > For me this raises two questions:
> > > >
> > > > What advantages could I get from buying a tool like FW-1 instead of
> > > > using a glued-together solution based on iptables, a gui and a few
> > > > reporting-scripts ?
> > >
> > > Saving your time. FW-1 is not a good choice if you need a flexible
> > > solurtion, though,
> > >
> > > Proxy-based firewalls can provide you better control and monitoring,
> > > though.
> > >
> > > > Is there anything FW-1 (or other packages like Gauntlet) could do for
> > > > me the upper solution can't ?
> > >
> > > Yes. You did not mention VPN, authentication,content inspection and
> > > application-level control. And saving your time, again.
> > >
> > > > Let me make one restriction: I'm only talking about small and simple
> > > > firewalls, not the huge thing altavista might need ...
> > > >
> > > > My typical scenario:
> > > > A small network with a few Win-boxes in it, perhaps a few unices
> > > > too. They should be connected to the internet, mostly with masquerading,
> > > > over a linux-box, which is often running a mailserver (qmail) too.
> > > > In some cases there a few more things on the linux-box, like an apache
> > > > or a squid.
> > > > None of these networks needs really high-level-protection, as they are
> > > > of a small local bicycle-seller or so.
> > > >
> > > > A less typical scenario:
> > > > There is a DMZ with static IPs, routing a few systems (mostly NT-boxes
> > > > with proprietary software on it) to the net. All other things like
> > > > scenario 1.
> > > >
> > > > Of course I'm using two physically different networks when possible,
> > > > but what could do a commercial firewall-package to me what I can't do
> > > > by hand ? I mean, beside the task of glueing things together ?
> > >
> > > Maybe you don't really _need_ commercial firewall package, but it depends
> > > on how much does your time cost and what level of comfort and manageability
> > > do you expect from the working system.
> > >
> > > > BTW, I looked at some scripts for building packet filters and at
> > > > some predefined rule sets, but every script I looked at kills the
> > > > one or other packet defeating this-and-this attack, but none is
> > > > complete, or even near to complete.
> > >
> > > Concatenate, then ;)
> > >
> > > > Isn't there something doing the right thing (tm) for a typical
> > > > scenario ? Why use a commercial packet if I have to do it by hand
> > > > even with such a product ?
> > >
> > > Some commercial products let you do what you need more efficient way.
> > > Another ones do what developers think you need for you. It depends on
> > > your choice and how much do you know about the things inside.

                                     _ _ _ _ _ _ _
 {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
 (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
 [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOSpZPaH/mIJW9LeBAQHMvAP+LSa0mM0ELnQ5QUB46J5F1aqBt9O1cnj1
C7pi3/AQcySWiRR+deot2fM5EsAHlvgVOOWIPKVect3DWtLP2hEUIij+tnDMnKmY
ym7k24/OExk2H+MbQbtrtoMYqEI1y/Ql4Hu+9dCm8OMCF69mxdYi/bVxm0sUR5ts
ewxpwIC+ILE=
=HcXx
-----END PGP SIGNATURE-----