Keith A. Glass wrote:
-----Original Message-----<snip>
I admit to a predjudice towards firmware-based firewalls, only because the underlying OS's of an OS-based firewall may or may not be properly hardened.
<snip>
Likewise, some idiot can (and I've seen this happen) create a wide-open ACL on a PIX firewall. Doesn't make the box the problem. Means it was misconfigured and not hardened enough.
When examining closely on of the two Checkpoints, I noticed the S78sendmail script was still in /etc/rc2.d. Since Sendmail is verboten on all but two specially designated servers in our net, I examined the box more closely, and found it to be a generic Solaris 8 Core package with no hardening whatsoever, not even services commented out in /etc/inetd.conf. . .
That CAN'T happen on a firmware-based box, hence my predjudice for them over
OS-based
boxes
<snip>
Granted. This cannot happen when a feature does not exist on a device. It also means that the product being critiqued is a more flexible product with a wider range of potential services to offer. And yes, that can be a two edged sword.
Like the PIX I mentioned above, if misconfigured, it is less than secure.
With both, misconfigurations are the kiss of death. Kinda reminds me of the old GIGO (garbage in - garbage out) acronym. If the guy building the rules or specifying which services are available, screws up, your whole box can be compromised...firmware or not.
IMHO,
bryan
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
