>1> Unless you shell out bucks for the "professional" (commercial) version of
>the firewall, you are limited to one external IP and port forwarding via that
>IP. This severely limits one's ability to maintain multiple servers providing
>the same service without putting standard services on non-standard ports
>(i.e. having to tell people to go to http://someurl.com:86/)

Yes, but you don't have to do that either. You could always use a free
redirector service like that found at http://mydomain.com. They can point
your hostname to any non-standard url/port combination.

>2> Again, unless you but the commercial version you are not able to
>administer policy for outbound traffic via the admin GUI, which should be a
>concern for any administrator, regardless of trust in internal users (should
>an attacker compromise an internal host, policies need to be in place to
>prevent outbound attacks from your own network).

Reverse proxy?

>3> Although Snort is implemented on the GPL version, there are no
>administrative facilities to add/modify/remove existing rules, nor are there
>tools for customization of IDS policy (i.e. to prevent false positive port
>scans from upstream DNS servers you have to manually modify the Snort config
>files, which defeats the point of having a GUI-administered facility in the
>first place).

Again, I see no problem in implementing this internally, as long as your
network can support it.

>4> Smoothwall does not allow blocking traffic based on matches against Snort
>rules. Thus, the box will not use signature matching to eliminate malicious
>packets, as I think Mike intends to do.

Agreed, no arguments there (yet).

>5> See the folowing URL for a recent security review of the product and
>independent user feedback on the attitudes of the development team:
>
>http://slashdot.org/article.pl?sid=02/01/09/2050237&mode=thread

I'm not at all promoting the SmoothWall product. They have (IMHO) taken a
promising product and limited it's usefullness through the licensing you've
touched on. There are quite a few other projects that offer the same
functionality as theirs, albeit with a bit more administrative
know-how. Still, I'm disappointed that you'd dig up the muck just to
further your points. If that was the determining factor in a product's
usefulness, would you still use OpenBSD, given Theo's history?

Anyhoo, you've made some good points. However, as you can see, there are
yet further choices available to work around these shortcomings.

-Jason

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]