At 13:48 25/09/00 -0400, Ken Seefried wrote:
>That's possibly true. On the other hand, there is great virtue in using a
>product (free or otherwise) that lots of people are actively using. Such
>products tend to have the "problems" found and fixed quicker than an obscure
>product. YMMV.
That's true, but is risy though. It's as if "we" have made a standard for
"usable" firewalls.
but we have no authority to do that.
>What I have problem with is your followup:
>
> >Besides,
> >- Checkpoint do not support NetBSD (dunno what PIX OS is).
>
>What has this got to do with anything?
>
>If this is some backhanded way of saying that only open OSes can possibly
>securely support a firewall, Checkpoint (and Raptor, for that matter)
>support Linux. If your argument is that "only open source == secure,
>period", then you wouldn't want Checkpoint, et. al., anyway. If the
>argument is that only NetBSD is secure, well, I would conjecture that that
>isn't a universal opinion.
it's not an argument for security, it's one for usability. one generally buys a
product running an OS that he knows/likes/... be it bsd, linux, nt,
solaris, ...
so if one prefers netbsd, it's an argument for. if on prefers another OS,
its an
argument against. I personally tend to believe that the BSD networking code
is a good base for firewalling (I don't mean other OSes are bad. it's simply
that I feel confortable with a base fully documented in Steven's TCP/IP
illustrated).
> >- Effnet is probably faster
>
>Why is it that people consider speed a security attribute? That's less
>relevant than saying a firewall is "better" if it's "easy to use". At least
>an "easy to use" firewall has the possibility of reducing mistakes by the
>administrator. Speed and security are tradeoffs against one another, not
>compliments.
but this doesn't mean you should use the slowest product. if two products
offer comparable security levels, then you'll choose the fastest.
(That said, I have no idea of the security level provided by effnet!)
The primary argument against proxies is performance. now see how many
people are not using proxies.
>There are a class of users for whom the security versus speed trade off is
>relevant (very high data rate connectivity and/or extremely complicated
>security policy). Alternatively, those who insist on running their firewall
>on a Mac SE/30 (don't laugh...I've got friends that do) will be concerned
>with a firewalls efficiency.
I personally don't chose a FW for its performance. but I understand that some
people might have this concern. An example would be an ISP who just wants
to do some basic filtering without afffecting the speed of its network.
>However, the *vast* majority of firewall users will overrun their upstream
>link long before they overrun their firewall. I would strongly suggest that
>firewall users should be asking "what is the most secure solution for my
>policy" followed by "what is the most manageable solution to my policy"; "is
>this firewall the fastest" is almost irrelevant when one looks at things
>objectively.
I fully agree with the approach.
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
