[techtalk] Firewalls

curious curious at curious.org
Mon Sep 25 06:45:40 EST 2000 

> Hi,
> I am looking a bit at firewalls today. I am trying to find a firewall
> product) that
> - is easy to set up
For ease of setup I would look heavly into firewall appliances (though be
very careful.. alot of them are just linux boxes with ipchains and a web
gui selling for much more then thier worth)
nokia has appliances that are firewall-1 built on a stripped down bsd
kernel..
intrusion.com has appliances that are built on your choice of NT or linux
using firewall-1 as it's firewall layer.. 

<note added after that your requirement doesn't include a gui> research
the needs of the company to find out if you need nothing more then a
packet filtering firewall or something with proxys.. 
for packet filtering: linux with ipchains (and perhaps squid or fwtk)
might be all you need...
if your parinoid perhaps openBSD's ipfilter is what your looking for
btw there is a new linux distro based on a stripped down redhat:
www.smoothwall.com designed for building firewall

however if your looking for a commercial solution nokias from everyone
I've talked to rox :)

Find out what your secuity policy is before determing what kind of
firewall your going to get.. and determine what your firewall policies are
before you implement them...

> - requires very little maintenance

Make sure the firewall maintainer(s) are going to be provided enough time
to go through logs to verify ahearnace to policy and to keep an eye on the
bad guys.. keep backup of logs incase you have a major incedent or someone
belives your organization caused one..



> - has filters/interpretors to detect attacks easily and reliable

I would <HIGHLY> recommend who ever is going to maintain/build/etc the
firewall gain some level of training in firewalls/security.. esp. vender
neutral stuff like sans (www.sans.org)

> - has some automatic update procedures [for software on
>the box, not > fw-rules]

(sound of shivers running up my spine) I'm guessing (though I don't know)
most firewalls have some kind of auto update.. however the whole concept
of doing so sends shivers up my spine and thus I do it manualy :)


> 
> By "easy to set up" I mean that it's easy to make a default script, feed
> it with custom IP-adresses and maybe a few custom rules, and then apply
> the rules. _I_ am going to do this, not the stupid user/customer, so no
> graphical UI is necessary.

Are you always going to be maintainer of the box?
just something to keep in mind

> 
> We do not want to have to reboot the server, apply lots of patches,
> watch it very carefully etc all the time. Ideally we want to install and
> set up a server, place it at the customer's and then only push
> some updates to it without having to log in on it. If the product comes
> with something like autorpm, up2date or something similar that let us
> cofigure it to get new updates from _our_ server, that's as good as push
> tech :)

personaly Having something as <for most environments> significant as the
firewall to just "decide" to update with the vendor.. even if it can
verify that x patch is comming from the vendor it might not be apporpriate
for the firewall and thus lead to more problems then were there to begin
with..


> 
> The problem with fex plain ipchains-rules on a "plain" (stripped)
> Linuxbox is that it's very hard to parse the logs and detect an attack.
> Of course we want to detect the attacks, and maybe deny the attacker
> more access for a while, but we don't want alarms for our own activity.
> Fex: ssh from my machine is ok, and also a single attempt from evil.isp.com.
> But if evil.isp.com sshs twenty times to five different users, we want an
> alarm.

if your main concern is watching attacks then an IDS (intrusion
detection system) is probably what your looking for: www.snort.org is
probably the best free IDS I've come across thus far...
in terms of commercial ones:
dragon:
http://www.securitywizards.com/
iss:
http://www.iss.net/ (though GREALY overpriced)


> 
> Does anyone have a good tip about what product to look at? It mustn't be
> Linux-based, of course, but honestly NT isn't an option... Black boxes
> are, though.

ahh if you have a -no black box- requirement then I would go with:
a linux/bsd firewall (either appliance or distro)
snort ids

> 
> 
> Magni :)
> -- 
> sash is very good for you.

Chris
(yes, I work in security. However the views expressed are not nessarly
those of my employer and these views should be taken only under the light
of your companies security policy.. no warranty expressed or implied)



> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list