[techtalk] Firewalls

Cris C. Caneda cris at mozcom.com
Tue Sep 26 13:14:23 EST 2000 

you may also want to look at WatchGuard
http://www.watchguard.com

On Mon, 25 Sep 2000, curious wrote:

> > Hi,
> > I am looking a bit at firewalls today. I am trying to find a firewall
> > product) that
> > - is easy to set up
> For ease of setup I would look heavly into firewall appliances (though be
> very careful.. alot of them are just linux boxes with ipchains and a web
> gui selling for much more then thier worth)
> nokia has appliances that are firewall-1 built on a stripped down bsd
> kernel..
> intrusion.com has appliances that are built on your choice of NT or linux
> using firewall-1 as it's firewall layer.. 
> 
> <note added after that your requirement doesn't include a gui> research
> the needs of the company to find out if you need nothing more then a
> packet filtering firewall or something with proxys.. 
> for packet filtering: linux with ipchains (and perhaps squid or fwtk)
> might be all you need...
> if your parinoid perhaps openBSD's ipfilter is what your looking for
> btw there is a new linux distro based on a stripped down redhat:
> www.smoothwall.com designed for building firewall
> 
> however if your looking for a commercial solution nokias from everyone
> I've talked to rox :)
> 
> Find out what your secuity policy is before determing what kind of
> firewall your going to get.. and determine what your firewall policies are
> before you implement them...
> 
> > - requires very little maintenance
> 
> Make sure the firewall maintainer(s) are going to be provided enough time
> to go through logs to verify ahearnace to policy and to keep an eye on the
> bad guys.. keep backup of logs incase you have a major incedent or someone
> belives your organization caused one..
> 
> 
> 
> > - has filters/interpretors to detect attacks easily and reliable
> 
> I would <HIGHLY> recommend who ever is going to maintain/build/etc the
> firewall gain some level of training in firewalls/security.. esp. vender
> neutral stuff like sans (www.sans.org)
> 
> > - has some automatic update procedures [for software on
> >the box, not > fw-rules]
> 
> (sound of shivers running up my spine) I'm guessing (though I don't know)
> most firewalls have some kind of auto update.. however the whole concept
> of doing so sends shivers up my spine and thus I do it manualy :)
> 
> 
> > 
> > By "easy to set up" I mean that it's easy to make a default script, feed
> > it with custom IP-adresses and maybe a few custom rules, and then apply
> > the rules. _I_ am going to do this, not the stupid user/customer, so no
> > graphical UI is necessary.
> 
> Are you always going to be maintainer of the box?
> just something to keep in mind
> 
> > 
> > We do not want to have to reboot the server, apply lots of patches,
> > watch it very carefully etc all the time. Ideally we want to install and
> > set up a server, place it at the customer's and then only push
> > some updates to it without having to log in on it. If the product comes
> > with something like autorpm, up2date or something similar that let us
> > cofigure it to get new updates from _our_ server, that's as good as push
> > tech :)
> 
> personaly Having something as <for most environments> significant as the
> firewall to just "decide" to update with the vendor.. even if it can
> verify that x patch is comming from the vendor it might not be apporpriate
> for the firewall and thus lead to more problems then were there to begin
> with..
> 
> 
> > 
> > The problem with fex plain ipchains-rules on a "plain" (stripped)
> > Linuxbox is that it's very hard to parse the logs and detect an attack.
> > Of course we want to detect the attacks, and maybe deny the attacker
> > more access for a while, but we don't want alarms for our own activity.
> > Fex: ssh from my machine is ok, and also a single attempt from evil.isp.com.
> > But if evil.isp.com sshs twenty times to five different users, we want an
> > alarm.
> 
> if your main concern is watching attacks then an IDS (intrusion
> detection system) is probably what your looking for: www.snort.org is
> probably the best free IDS I've come across thus far...
> in terms of commercial ones:
> dragon:
> http://www.securitywizards.com/
> iss:
> http://www.iss.net/ (though GREALY overpriced)
> 
> 
> > 
> > Does anyone have a good tip about what product to look at? It mustn't be
> > Linux-based, of course, but honestly NT isn't an option... Black boxes
> > are, though.
> 
> ahh if you have a -no black box- requirement then I would go with:
> a linux/bsd firewall (either appliance or distro)
> snort ids
> 
> > 
> > 
> > Magni :)
> > -- 
> > sash is very good for you.
> 
> Chris
> (yes, I work in security. However the views expressed are not nessarly
> those of my employer and these views should be taken only under the light
> of your companies security policy.. no warranty expressed or implied)
> 
> 
> 
> > 
> > _______________________________________________
> > techtalk mailing list
> > techtalk at linuxchix.org
> > http://www.linux.org.uk/mailman/listinfo/techtalk
> > 
> 
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list