display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Comparisons: Platforms for FW1?


Doug Weathers schrieb:

> I used to work for an organization that ran FW-1 on a Solaris box.  It worked well, but the Solaris platform was quite expensive, and the OS needed to be hardened, a procedure that took up a day or so.
> Then we installed FW-1 on it, which took another day.
> Then we configured it that night, which took us somewhat past midnight.

I would like to object. Usually the base OS installation takes about one hour - most of it does the box on his own copying files from CD to harddisc. Installing the current Sun patch cluster takes a few hours - the box is all copying and installing without need for manual intervention. Hardening the Solaris installation, installing the firewall software and setting up a reasonable ruleset (~30 rules) takes another

In short: 1-2 hours work plus 5 hours waiting.

With some planning you can interleave work and wait - my personal record are four working systems from scratch within one standard work day  (8h).

> Then there's the physical aspect of a general-purpose computer versus a rack-mount appliance.  We had to find a place in the computer room for the Sun CPU, that huge monitor, that goofy keyboard, and that stupid clumsy mouse.  Then we had to run wires to it from the datacomm closet.  If we could have just stuck an appliance in the rack in the closet it would have saved us a lot of time.

Then choose a rack-model  like  a Sun E220R or a Sun Netra T1 AC200 - or simply an Ultra5 "pizzabox".  For operation you do not need monitor nor keyboard  (just don't unplug the keyboard while running as that will cause the Sun to initiate a shutdown). SSH and the FW1 console just work fine for a remote admin workstation. Even in extreme cases you do not need keyboard and monitor - I occasionally use my tiny Psion
organizer as system console over the serial cable (port A) where I have access to shell and even BootPROM. What more do you need?

> Now that the firewall is as vital as routing, it makes sense that your firewall should also be moved to a purpose-built rack-mounted device, and for the same reasons.

> Anyway, to sum up:  in my opinion, "Firewall on a general purpose OS like Unix or NT - bad.  Single purpose firewall appliance - good."

Objection (at least for Unix).

A firewall is more than just packet filtering and routing. You need "immediate" alerting and log access - which means need for extensive automated filtering.  It comes in extremely handy if you can automagically filter logs and alerts, build reports and archives with scheduled scripts.

Plus it helps a  LOT  if you can use the firewall as central network sniffer  (e.g. Sun's builtin SNOOP command) - especially in more complex NATing and routing environments.

And what about backup? Given spare parts I only need a few (5-15) minutes to restore the firewall (including rules and all) onto a blank system (



Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions

     To unsubscribe from this mailing list, please see the instructions at


   All contents © 2004 Network Presence, LLC. All rights reserved.