I meant to send this to the list as well...
-----Original Message-----
From: Randall, Mark
Sent: Wednesday, June 23, 1999 11:27 AM
To: 'Jen'
Subject: RE: Why not watchguard 2 ? (read on)
I meant my message to be positive to the IDEA of network appliances, rather
than supportive of WatchGuard in particular. That's why I posted the second
message to clarify the situation. I'm of the opinion that running the SAME
firewall software on a server or network appliance, then I would generally
lean toward a network appliance. The assumption being that the network
appliance type of solution is running a "stripped" or "hardened" kernel on
hardware that is designed to do a specific job. There is more potential
there for a locked-down, controlled environment than running the same
firewall software on a server.
I've not evaluated enough network appliances to recommend any in particular
and believe any such device is just a tool. Whether that particular tool is
appropriate for a particular job is another issue, which is why the
consulting is so important. Current and planned future needs must all be
considered, as well as maintenance.
-----Original Message-----
From: Jen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 22, 1999 4:02 PM
To: Randall, Mark
Cc: 'Wong Chun Meng'; '[EMAIL PROTECTED]'
Subject: Re: Why not watchguard 2 ? (read on)
I like the idea of appliances, too, but this particular appliance
(WatchGuard) lacks a lot of imporant features.
There are good appliances. We're looking at Nortel's (Bay's) Contivity
Extranet Switches. These devices really blow away Checkpoint for VPN
(which is what we were using previously). They're easy to manage and
the clients work great (SecuRemote has lots of user issues). They allow
secure split tunneling, unlike SecuRemote (which leave the clients open
to connections on the Internet). They also have lots of filtering
capabilities. Nortel will be adding FW-1 to the switch as an upgrade (I
have no details on this, though).
Network Appliance has some cool products, too, but they're not firewall
related.
Jen
"Randall, Mark" wrote:
>
> Personally, I'm recommending the firewall appliance type of solution. The
> very thread on stripping an OS for firewall use is one of the big reasons.
> These appliances are built stripped and that isn't likely to change.
>
> My biggest reason is simply that I don't want to see a client tempted to
run
> another service on the firewall box. I can just imagine a company that
runs
> into budget constraints and wants to add network services...they see a
> perfectly good server sitting there and it's not doing anything but
running
> the firewall, right?
>
> Forget the NT vs. UNIX debate. I'm tired of arguing with people that
> blindly follow Microsoft and refuse to deal with the technical facts. We
> push the idea of a network appliance. Power cable and network connections
> with perhaps a power switch on it. ;-)
>
> -----Original Message-----
> From: Wong Chun Meng [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 21, 1999 3:37 AM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
> Subject: Why not watchguard 2 ? (read on)
>
> Seeing as the ongoing debate on "why not NT" is getting repetitive (on
some
> points IMHO), why not use a blackbox to solve the problems of a
> weak/misconfigurating an OS. With a blackbox, you don't have to worry
> anymore on the OS (if you trust the strip down Linux OS in watchguard that
> is) but just the configuration of the firewall. So now we have the
question,
> is watchguard 2 any good? Is it on par with Firewall-1 (on a solaris for
nix
> sake) in terms of the firewall security (regardless of securing solaris
ok)?
> I was hoping you guys can give me some input on this.
>
> As I see it, some of you guys might argue to have the ability to have some
> control over the OS. Why so? Is it really important to have full control
of
> the firewall OS? I can think of one reason actually, but it's not really a
> big issue... so my question again, is it really essential?
>
> TIA for any input. I'm actually presenting this argument to some
> vendor/clients. So any comments is deeply appereciated.
>
> Wong.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
