Symantec's FW VPNs are flaky as all get out, and the proxy services tend break too many transactions. not trying to start an argument here, but Raptor (in my two years of experience with it) is tempestuous and needs a lot of babysitting. also, i'm not talking about the appliance, i'm talking about the software package. you can increase the security level of the non-proxying firewalls by: 1) turning on NAT/PAT/MIP and using public IPs *only* on your outside (untrusted) FW interface 2) using 3rd party session inspection programs to look for service-specific (app-level) attacks 3) using your edge routers as a primary filter (access lists, etc.) to immediately throw away all the network garbage you don't want your firewall to bother filtering 4) drop an IDS in behind your firewall and tune it to monitor your already twice-filtered traffic. to Crispin's point, an IDS is good for ruining your weekend. but imho, better to know and rectify than to never know at all. justin * -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Money, scalability, speed: very nice. Uh, what about security? The Symantec product is a "hybrid" firewall (i.e. uses proxies) while the others are packet filters. IMHO, that adds security value.
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 10:33:19 PDT