I mention Linux several times in this reply, so I hereby declare it
"on-topic". ;-)
On Wed, 13 Dec 2000, Cole Tuininga wrote:
> At my job, we have need of a fairly decent (hardware based) firewall.
Install Linux on some PC hardware. ;-)
Seriously: The term "hardware based firewall" is largely meaningless. A
dedicated firewall box, such as a SonicWall, is simply a specialized computer
running software very similar to Linux's IP filtering code. In fact, in some
cases, it actually *is* running Linux's IP filtering code. Or the filtering
code from one of the BSDs. Many people have a false impression that dedicated
firewall products are somehow special when compared to a commodity PC running
decent firewall software. This simply is not true; software is software,
regardless of what platform it is running on.
Now, there are advantages to dedicated firewall boxes: They are sometimes
cheaper, and very often easier, then building a full PC, installing an OS,
hardening the OS, and setting up the firewall software would be. They often
come with tools or UIs which make managing the firewall easier (note, however,
that this is *NOT* a substitute for understanding what the firewall is doing).
They are often more reliable then a commodity PC, because they are entirely
solid-state.
However, there are disadvantages as well: The base hardware itself is often
much more expensive then a commodity PC (but see above about setup costs).
In addition, you often see per-user licensing models. They tend to be fairly
inflexible, and generally cannot be customized or enhanced at all -- if you
encounter a situation the box cannot handle, you are just out of luck.
Automated management via scripts is generally not available. And they are
generally closed, proprietary products -- you have to trust the vendor's word
that their box really *is* secure.
> Not having experience with such beasts, I am turning to you folks for
> suggestions.
I have heard good things about WatchGuard's Firebox II product. And it is,
in fact, running a hardened version of Linux. Plus it looks cool. ;-)
Checkpoint's Firewall-1 has some nice features, such as virus scanning of
files being downloaded through the firewall, and is available in embedded
boxes (generally running Linux -- starting to see the pattern?). However, I
have also heard bad things about Checkpoint in terms of reliability.
SonicWall and Netopia are okay, but generally don't do anything Linux
doesn't do, and are a little pricey.
Allied Telesyn makes a router, model AR-320, which we are in the process of
evaluating. It has firewall and VPN options, and appears to be relatively
inexpensive, as far as such things go.
VPNet makes products which supposedly include firewall functionality. We
are in the process of evaluating those, too. No idea on price.
For all of the above, Your Mileage May -- and most likely will -- Vary.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
