[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: compare / contrast of linux fw and others
- From: Jeremy Heffner <heffner darkness net>
- To: "Matthew S. Crocker" <matthew crocker com>
- Cc: Bringman <rob trion com>, linux-security redhat com
- Subject: [linux-security] Re: compare / contrast of linux fw and others
- Date: Wed, 04 Nov 1998 02:24:52 -0600
In message <Pine LNX 3 95 981028080106 17173A-100000 rmc1 crocker com>
"Matthew
S. Crocker" mumbled
>> I am the Firewall-1 administrator where I work and it has a very nice
>> GUI tool for defining objects (can be hosts, networks, DNS domains,
>> groups of hosts, etc.) and a straightforward way of building a
>> rulebase.
>
>Doesn't Firewall-1 do VPN? Virus scanning (optional), HTTP scanning
>(virus/content optional) QoS.
the http/virus scanning is generally not done by fw1 directly, its done by
other servers via the <fill in standard proto I forget here> protocol...
>Can you do VPN with your linux solution. I love linux and have setup
>several linux firewalls. I have only played with firewall-1 for a bit and
>the GUI is the only thing I can think of which makes it a better
>'corporate' solution.
the problem with teh gui, is that it also hides stuff its sometimes
doing... which is a security problem.. makes some assumptions about what
should be runing.. but hey, runs a hell of a lot better than the NAI
Gauntlet GUI (NAI owns TIS now).. 'course, FW1 has a really sick and
twisted licensing scheme.. really harsh and expensive for managing more
than one at a time..
As for VPN.. ipsec for linux.. along with ipip and friends.. FW1 only does
server to server VPNs reasonably, and generally needs other pieces (more
$$) to do cleint -> server type stuff.. like entrust..
you could also be really nutty and do the ppp over ssh stuff...
and we wont get into the part about being able to audit the code looking
for backdoors (PLEASEPLEASE dont start a thread on this one.. been done
many times before..)
and also the proxy/stateful inspection/packet filters.. choose which one
you like, dont start a thread.. been said many times over.. (see the other
firewall lists for more discussion on this and previous topic..)
so, in short.. often times, yes, a linux box is more than enough
protection.. as long as you have the expertise to be able to do it..
(personal opinion - if you dont, you shouldn't be running a firewall
anyways.. *shrug*)
the other really nice part about a linux based solution, is that its
easily extensible if you're willing to write/modify code, instead of
begging and pleading with vendors...
(yes, I've been dealing with vendors too much recently..)
-jeremy (yeah, yeah, I'm a CCSA/CCSE (check point cert cruft..))
---------------------------------------------------------------------------
Jeremy Heffner -- heffner darkness net
Darkness Network Engineering
PGP public key available on request
My thoughts and opinions represent no one but myself
---------------------------------------------------------------------------
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]