[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Linux/BSD vs. CKP (was: Re: [FW1] Unbaised Firewall-1 vs Pix Reviews ??)
Greetings! [email protected] schrieb: > I am being asked to justify Firewall-1 vs (netfilter | ipf). > > The ONLY thing that I can say is that Firewall-1 has state sharing, where > as neither of the others do... yet.(likely in version 4.x of ipf?) > > Can onyone tell me why I would pay BIG money for the checkpoint > license? When I could put that money towards a load balancing > switch?(which alot of ppl do anyway!) The main difference on the outside: The nice-looking GUI for FW-1 that comes as default (well, if properly licensed). But there are already GUIs emerging for IPChains/IPFilter. The main difference on the inside: FW-1 does look into (some of) the packets. With this you can e.g. allow MS-Exchange (via MS-RPCs) without allowing all MS-RPCs, filter on mail-address patterns, etc. So the term "stateful INSPECTion" comes from these inspect modules, that do additional checks on the data stream. Where Linux/*BSD {net|ip}filter allow all protocols through TCP/80 when you allow HTTP, Checkpoint e.g. checks wether the first packet starts with {GET|POST|PUT|HEAD} - so tunneling is a bit more complicated through a CKP. But these checks are quite sparse and quite sketchy. For comparison: a(ny) decent proxy or true application-level gateways (Raptor, TIS/Gauntlet) are a total different class with respect to protocol checks. So combining a dynamic (*BSD/Linux) packet filter with a filering proxy will IMHO give a better protection than a single FW1 (but FW-1 + proxy will again step ahead of that combination, granted). Another (quite paradox) problem for management is that justifying costs for firewall machine and software (and admin) seems to be much easier than just an admin who is "doing nearly nothing": refitting old "throwaway" desktops into FWs and gateway systems just does not crop up as cost in balance sheets. Management calculation seems to be: no costs =?= no production... Only a properly configured gateway is a secure one. I once have seen the company's WinNT DC with MS-Exchange running - used as "firewall" (okay, FW-1 was installed and there were a few deny-rules, but these as "tight" as rotted swiss cheese) - no comment needed on this one... So in either case (Linux/*BSD or CKP FW1) you need an admin who is excels on the chosen setup. And these are not easy to come by - for neither product. A certification (like CCSA/CCSE) is an indicator best - but does not really tell about the security-job qualities of the person. Nowadays "everyone" says that the TCO of a Linux rollout will be bigger because of the higher admin costs - but I can assure you that certified/qualified Sun/Checkpoint admins are not a bit cheaper (best case)... Bye Volker -- Volker Tanger <[email protected]> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|