Gauntlet for NT as another firewall to try out.. Might as well suggest
cutting the cable with a pair of wirecutters.
Actually, cutting the cable is probably easier than installing Gauntlet
for NT!! The last time I installed Gauntlet for NT, the familiar Blue
Screen of Death (BSOD) appeared multiple times. Hopefully it is fixed in
Gauntlet 5.5..
/m
Kent Hundley <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
02/29/00 02:34 PM
To: Jon Earle <[EMAIL PROTECTED]>, Firewalls <[EMAIL PROTECTED]>
cc:
Subject: Re: Bug in Checkpoint FW-1 3.0 ?
Jon,
This is not an argument for or against FW-1 or any other firewall
product, but just an observation. You conclude that FW-1 "works"
because traffic is passing back and forth through the firewall. The
flaw with this logic is that you don't know whether the firewall is
really doing what it is meant to do, i.e. allow only what you want in a
secure manner. Of course, the problem is that its not easy to determine
whether the product is running "securely".
This is in general one of the big problems with security products.
People get them and install them according to the vendor instructions.
Traffic they want to pass through passes and the logs seems to be
blocking what they don't want. This means the firewall works, right?
Unfortunately it may not. This is the real dilemma behind the problem
with FW-1 that started this thread. It was assumed that the firewall
was working because FTP traffic was passing, yet there was a flaw in the
procedure.
The critical point is that security testing is orthogonal to
functionality testing. You cannot tell if your firewall (or other
security product) is doing what is expected by simply looking at whether
the traffic you want to allow through is working. That is testing
functionality, not security. Unfortunately, most of the time the job
requires functionality at the expense of security, but that's another
story. (and truly testing the security is very hard)
There's a really good whitepaper that talks about security testing by
Bruce Schneier "Security in the real world: how to evaluate security
technology" at <http://www.counterpane.com/publish.html>. I just read
this article last week and it was still fresh in my mind as I read your
comments, so I thought it was worth sharing. This is not a flame
against you or any product, its an issue we all have to deal with in the
products we encounter and something we all need to keep in mind.
On another note, you might want to also consider Gauntlet as another
potential firewall product for NT. Not telling you its better or worse
than FW-1, but it does provide true proxy services for standard apps.
Main problem I've seen with it is that its generally quite a bit slower
than SPF based solutions.
Regards,
Kent
<snip>
>>Everything is simpler and easier with a stateful inspection firewall,
>>including shooting oneself in the foot.
>
<snip>
>We're currently running a FreeBSD, TIS FWTK solution which works _really_
>well. It has been decreed however, that it is outdated and due for
>replacement (I have no say in this decision). So... I've evaluated
>Firewall-1 and Raptor. I found Raptor to be a low quality product, with
>poor documentation, that didn't work as advertised. I've set up
Firewall-1
>for other clients, and it seems to be doing the job quite well. It's
easy
>to manage, and aside from the painfully slow logging interface, appears
>quite reasonable. It works as advertised, and comes with good
documentation.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
