Greetings!
Doug Weathers schrieb:
> I used to work for an organization that ran FW-1 on a Solaris box. It worked well,
>but the Solaris platform was quite expensive, and the OS needed to be hardened, a
>procedure that took up a day or so.
> Then we installed FW-1 on it, which took another day.
> Then we configured it that night, which took us somewhat past midnight.
I would like to object. Usually the base OS installation takes about one hour - most
of it does the box on his own copying files from CD to harddisc. Installing the
current Sun patch cluster takes a few hours - the box is all copying and installing
without need for manual intervention. Hardening the Solaris installation, installing
the firewall software and setting up a reasonable ruleset (~30 rules) takes another
hour.
In short: 1-2 hours work plus 5 hours waiting.
With some planning you can interleave work and wait - my personal record are four
working systems from scratch within one standard work day (8h).
> Then there's the physical aspect of a general-purpose computer versus a rack-mount
>appliance. We had to find a place in the computer room for the Sun CPU, that huge
>monitor, that goofy keyboard, and that stupid clumsy mouse. Then we had to run wires
>to it from the datacomm closet. If we could have just stuck an appliance in the rack
>in the closet it would have saved us a lot of time.
Then choose a rack-model like a Sun E220R or a Sun Netra T1 AC200 - or simply an
Ultra5 "pizzabox". For operation you do not need monitor nor keyboard (just don't
unplug the keyboard while running as that will cause the Sun to initiate a shutdown).
SSH and the FW1 console just work fine for a remote admin workstation. Even in extreme
cases you do not need keyboard and monitor - I occasionally use my tiny Psion
organizer as system console over the serial cable (port A) where I have access to
shell and even BootPROM. What more do you need?
> Now that the firewall is as vital as routing, it makes sense that your firewall
>should also be moved to a purpose-built rack-mounted device, and for the same reasons.
> Anyway, to sum up: in my opinion, "Firewall on a general purpose OS like Unix or NT
>- bad. Single purpose firewall appliance - good."
Objection (at least for Unix).
A firewall is more than just packet filtering and routing. You need "immediate"
alerting and log access - which means need for extensive automated filtering. It
comes in extremely handy if you can automagically filter logs and alerts, build
reports and archives with scheduled scripts.
Plus it helps a LOT if you can use the firewall as central network sniffer (e.g.
Sun's builtin SNOOP command) - especially in more complex NATing and routing
environments.
And what about backup? Given spare parts I only need a few (5-15) minutes to restore
the firewall (including rules and all) onto a blank system
(http://www.wyae.de/software/SunBackup.tar).
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
