|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Linux/BSD vs. CKP (was: Re: [FW1] Unbaised Firewall-1 vs Pix Reviews ??)
Thank you for your email. Well written. As for checkpoint examining inside the packet you are correct. Support for this is also written into netfilter and is being implemented on a protocol by protocol basis(which I'll admit most of the modules to support the protocols are in beta). Rusty Russel(l?), the lead developer for netfilter has said that no modules will be allowed into the kernel if they don't have atleast one free server and one free client... which means that support for netmeeting(if it isn't done already) will have to be done in userspace which will slow things down a bit. Basically what this means is that support for the much used protocols will be developed very quickly(much quicker then checkpoint), where as support for little used protocols, niche protocols, will take some time. But isn't this the way with Checkpoint also?? (eg checkpoint still doesn't support icq file transfers w/NAT which I beleive is implemented into ipchains, which is the linux OLD fw'ing technology) Anyway, what I hate about FW-1 is the lack of control over the most fine grained configurations. I don't like that ANY is NOT ANY! What I hate about netfilter is the lack of documentation. But now that I think of it, the only vendor( read networking/security/application/etc vendor) with "enough" documentation is Cisco, and CERTAINLY not checkpoint. I mean what other multimillion dollar company with a 50%+ market share points users to an external site for documentation??? (phoneboy we love you) I don't like that first we had ipfwadm, then ipchains, and now iptables! Well... I didn't mean to rant,.... but now that I did... ^X On Fri, 9 Feb 2001, Volker Tanger wrote: > Greetings! > > [email protected] schrieb: > > > I am being asked to justify Firewall-1 vs (netfilter | ipf). > > > > The ONLY thing that I can say is that Firewall-1 has state sharing, where > > as neither of the others do... yet.(likely in version 4.x of ipf?) > > > > Can onyone tell me why I would pay BIG money for the checkpoint > > license? When I could put that money towards a load balancing > > switch?(which alot of ppl do anyway!) > > The main difference on the outside: > The nice-looking GUI for FW-1 that comes as default (well, if properly licensed). But > there are already GUIs emerging for IPChains/IPFilter. > > The main difference on the inside: > FW-1 does look into (some of) the packets. With this you can e.g. allow MS-Exchange > (via MS-RPCs) without allowing all MS-RPCs, filter on mail-address patterns, etc. So > the term "stateful INSPECTion" comes from these inspect modules, that do additional > checks on the data stream. Where Linux/*BSD {net|ip}filter allow all protocols > through TCP/80 when you allow HTTP, Checkpoint e.g. checks wether the first packet > starts with {GET|POST|PUT|HEAD} - so tunneling is a bit more complicated through a > CKP. But these checks are quite sparse and quite sketchy. For comparison: a(ny) > decent proxy or true application-level gateways (Raptor, TIS/Gauntlet) are a total > different class with respect to protocol checks. So combining a dynamic (*BSD/Linux) > packet filter with a filering proxy will IMHO give a better protection than a single > FW1 (but FW-1 + proxy will again step ahead of that combination, granted). > > Another (quite paradox) problem for management is that justifying costs for firewall > machine and software (and admin) seems to be much easier than just an admin who is > "doing nearly nothing": refitting old "throwaway" desktops into FWs and gateway > systems just does not crop up as cost in balance sheets. Management calculation seems > to be: no costs =?= no production... > > Only a properly configured gateway is a secure one. I once have seen the company's > WinNT DC with MS-Exchange running - used as "firewall" (okay, FW-1 was installed and > there were a few deny-rules, but these as "tight" as rotted swiss cheese) - no comment > needed on this one... > > So in either case (Linux/*BSD or CKP FW1) you need an admin who is excels on the > chosen setup. And these are not easy to come by - for neither product. A > certification (like CCSA/CCSE) is an indicator best - but does not really tell about > the security-job qualities of the person. Nowadays "everyone" says that the TCO of a > Linux rollout will be bigger because of the higher admin costs - but I can assure you > that certified/qualified Sun/Checkpoint admins are not a bit cheaper (best case)... > > Bye > Volker > > -- > > Volker Tanger <[email protected]> > Wrangelstr. 100, 10997 Berlin, Germany > DiSCON GmbH - Internet Solutions > http://www.discon.de/ > > -- --Paul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
