[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firewalls

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: firewalls
From: Nick Holland <nick@holland-consulting.net>
Date: Wed, 06 Dec 2000 23:00:23 -0500
References: <3A2EA370.9DF3BAF4@epcot.revenio.com>

If I write up a web page, toss it on my web site, they'll believe it
more than your own logic?

Probably.  Scary thought.
(If I send 'em a bill, they'll REALLY believe me, I bet.)

Barring that (if I had time to burn today, I thought about doing just
that, BTW. 8), how about trying this logic...

A firewall can't be any more secure than the underlying OS, right?  I
think that would be a pretty easy sell to almost anyone.  Sure, you
can make an NT system "secure" (at least to the best of current
knowledge and patch kits, until the next bug discovery, of course),
but what if you miss something?  What about _WHEN_ the next hole is
found?  Do you know everything there is to know about securing NT or
any other OS?  I know I don't.  Fortunately, OpenBSD users have people
looking over our shoulders -- the team that puts together and
maintains OpenBSD set it up so it starts out secure...we can break it,
but we don't need to fight to make it start out secure, and thanks to
quality software, we don't have to fight hard to keep it secure.

I've done a little looking at Checkpoint's Firewall-1.  I was NOT
impressed (except with the price).  First, they do offer a number of
choices of platforms -- all of which I do think you will see listed on
the security bug lists regularly, and as I said, running a "firewall"
on an insecure platform gives me the willies.  Second, I had a client
stuff one in my hands and say "Lock me down!"  NMAP showed several
things I didn't like, so I looked at the cute GUI program, turned off
the things I wanted off.  Sure looked nice and easy.  Ran NMAP again. 
Same results.  Whatever I did, it didn't do what I thought it would
do.  You can argue that ipf.rules isn't as "easy" to grasp as pretty
pictures, but if you comment out a line and restart IPF, it does as
you expect (well..forgetting traceroute for the moment).  I thought
this behavior of Checkpoint was darned dangerous.  Obviously, I did
something wrong, but FW-1 seemed to think nothing of letting me delude
myself into thinking I knew what I was doing.  That's bad.

Here is a strategy I use when one of my clients wants to spend too
much money on something:

* Buy/install something small/cheap that fits your needs TODAY.
* IF you outgrow it, THEN re-evaluate your needs at THAT TIME,
considering the products available at THAT TIME.
* You save money!  You may *NOT* outgrow that "simple/cheap" product,
and if you do, you have avoided spending a lot of money for a period
of time.
* You get a better product!  By using the best tools available at the
time you need them, you will get better results then spending gobs of
money today and trying to force-fit your needs in the future to the
product that may not fit, but you spent so much money everyone is
afraid to say "We screwed up".  (Ever notice that some people show
more loyalty to a bad product then they do to a good spouse?  Wierd.)

The point is, plan to out-grow.  Don't look at it as a life-time
commitment, if product X does the job for you in two years, stick with
it.  If not, scrap it.       

I have a client I recommended a lower-cost firewall to (I wasn't ready
to do an OpenBSD system for them at the time).  They are now grumbling
that it doesn't have Windows-based VPN client support.  They don't
need or have use for a Windows VPN client yet, but they foresee that
they will "some day".  This wasn't an original purchase criteria, so
it is posible whatever else they had purchased, they might have been
looking at an upgrade anyway.  The price difference was so great
between these products that if they had invested the money they saved,
they would have effectively got the firewall they are using now for
free (and being it is an insurance company, they respect that kind of
logic 8).  

Nick.

Nicholas Basila wrote:
> 
> We are evaluating firewalls at work. I was wondering if anyone had a
> link to a site that gives an honest evaluation of commercial products,
> and firewalls using ipf. I'd love to see a site that rates an OpenBSD
> box with ipf a better "buy"  than, say, Checkpoint or some other
> firewall. If I can't provide some sort of online justification for using
> OpenBSD and ipf, I'll probably end up having to go with some NT based
> firewall to make management happy. Does anyone know a good site for such
> things?
> 
> Nicholas

-- 
http://www.holland-consulting.net/

References:
- firewalls
  - From: Nicholas Basila <nbasila@epcot.revenio.com>

Prev by Date: Re: firewalls<little bit of a rant, no flaming though>
Next by Date: Re: firewalls
Prev by thread: Re: firewalls<little bit of a rant, no flaming though>
Next by thread: Re: firewalls
Index(es):
- Date
- Thread