[techtalk] Firewalls

[Magni Onsoien]

Hi,
I am looking a bit at firewalls today. I am trying to find a firewall
product) that
- is easy to set up
- requires very little maintenance
- has filters/interpretors to detect attacks easily and reliable
- has some automatic update procedures [for software on the box, not
fw-rules]

By "easy to set up" I mean that it's easy to make a default script, feed
it with custom IP-adresses and maybe a few custom rules, and then apply
the rules. _I_ am going to do this, not the stupid user/customer, so no
graphical UI is necessary.

We do not want to have to reboot the server, apply lots of patches,
watch it very carefully etc all the time. Ideally we want to install and
set up a server, place it at the customer's and then only push
some updates to it without having to log in on it. If the product comes
with something like autorpm, up2date or something similar that let us
cofigure it to get new updates from _our_ server, that's as good as push
tech :)

The problem with fex plain ipchains-rules on a "plain" (stripped)
Linuxbox is that it's very hard to parse the logs and detect an attack.
Of course we want to detect the attacks, and maybe deny the attacker
more access for a while, but we don't want alarms for our own activity.
Fex: ssh from my machine is ok, and also a single attempt from evil.isp.com.
But if evil.isp.com sshs twenty times to five different users, we want an
alarm.

Does anyone have a good tip about what product to look at? It mustn't be
Linux-based, of course, but honestly NT isn't an option... Black boxes
are, though.


Magni :)
-- 
sash is very good for you.