[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Grant Sewell wrote: > On Wed, 21 Feb 2007 09:50:43 +0000 > Tom Potts <tompotts@xxxxxxxxxxxxxxxxxxxx> wrote: > >> http://www.oreillynet.com/pub/a/sysadmin/2007/02/15/evaluating_firewalls.html > > One thing that *really* bugs me about things like this is when they > call things like the Cisco PIX a "hardware firewall" and things like > Smoothwall a "software firewall". All firewalls are software > firewalls, dammit! I tend to use the term "software firewall" to refer to products that are installed on a box with other tasks, as opposed to a dedicated firewall. Tools like the Norton stuff, or the IPTables based tool that comes with Redhat that lets you lock down the other ports (just in case). I'm surprised at the lack of products tested, I'm guessing they tested what they had to hand?! When I sold firewalls professional CISCO PIX sucked, and I expect they still do. They sold because ISP and phone companies had contracts with Cisco, on which they got a good price, and could order them easily. They had bad proxies (you still find sites getting email problems due to their SMTP proxy!), nightmarish configuration, and well they came from Cisco (read scary order process - Cisco generally do good engineering, you just don't want to have to drive a lot of their kit, unless you have IQ points spare - I've even had to "interpret" Cisco documentation to Cisco certified engineers!?!). The tests are of limited value, whilst it is great to be able to defend against flooding attacks, there is only marginal value in it, since most people who can flood you, can arrange to eat all your bandwidth anyway. Similarly they don't document configuration, or other details of how Smoothwall failed. I'm no fan of smoothwall, but it could well be it failed because the network driver for that card created too many interrupts, or some other minor issue. Which is why I usually recommend people buy dedicated off-the-shelf firewalls, not because they are better, but because there are less details for the purchaser to worry about.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html