[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firewalls



On Wed, Dec 06, 2000 at 03:37:04PM -0500, Nicholas Basila wrote:
> We are evaluating firewalls at work. I was wondering if anyone had a
> link to a site that gives an honest evaluation of commercial products,
> and firewalls using ipf. I'd love to see a site that rates an OpenBSD
> box with ipf a better "buy"  than, say, Checkpoint or some other
> firewall.
...

Ok, let me add something a bit more balanced than some of the comments
I seen.

I've switched from FW-1 4.0 on an NT box to OpenBSD + IPFilter +
Postfix + Squid + isakmpd. Here's my take on the plus / minus of FW-1 :

- Support is absent. Nothing, zilch, rien. You paid for support, but
once you have a problem, the typical conversation goes like that :
    me: Hi, we have <whatever problem>
    support: Which FW-1 version / service pack
    me: 4.0 sp4578
    support: On which OS do you run it ?
    me: NT 4.0 sp5
    support: Reboot.
    me: Huh... Really ?? You are sure that's the only solution ??
    support: Yes.
- The default install is way more open than you can think at
first.
- The SMTP security server (an smtp proxy) is a joke.
- I don't trust their FTP proxy.
- They produce a large amount of noise about their CVP
system. Basically it's a way to send objects crossing the firewall to
some application-specific inspection engine, ie a virus scanner for
mails and binaries downloaded from the internet.
With SMTP, it works, more or less. With HTTP it's useless unless you
can guarantee that every download will take less than 1 minute to
complete (the default timeout of most browsers).
- Using a proxy on a non-default port (for ex, ftp on port 2121) is
not trivial.
- Their graphical rule editor is nice, but with more than 30 rules
it's getting unmanageable.
- You can't even print the rules ! The only solution is to print
screenshots of the rule editor, how lame :-((
- You can't apply a rule to a specific interface.
- Logs are way less accurate than with ipfilter, and you have a
limited ways to grep / filter them in real time (hey GUI guys, never
heard of "tail -f /var/log/ipflog | grep 'bla'" ??). Post-mortem (sic)
filtering requires an 'export' in plain ascii which is slow.
- They don't support statefull ICMP filtering. Maybe this has changed
since version 4.0, but be carefull.
- The TCP state engine is a bit less accurate than the one in ipfilter.
- Their inspection engine is built on a very good language (INSPECT),
on which unfortunately you have absolutely zero documentation.
- Their IKE support was far from perfect in 4.0, but I heard they have
a better one in 4.1 / CP2000.
- It's very expensive, even more if you want it with a Nokia box.

On the 'plus' side :
- They support NAT on a handfull of protocols (FTP, both server and
client, NetBIOS, SQL*net, various RealAudio flavours, etc...)
- A given ruleset can be applied to many systems at once, including
simple routers.
- They support time-based restrictions (ie these boxes can connect to
the 'net to port 80 from 8am to 20pm, and only 5 days per week).
- You can plug-in a bandwith management system (but I have yet to test
the newly released ALTQ-3.0 on OpenBSD 2.8...)

-- 
Rémi