Hi Elsa -- The primary question is, what level of security do you require, and for which protocols/applications do you require Internet access? I've worked with Sidewinder and FW-1 for the last 5 years. In general, unless you have the requirement to support a very high bandwidth connection -- which you don't -- or some database applications (using CORBA) that you can't get easily through the Sidewinder -- I prefer Sidewinder a lot. FW-1 gets a lot of points in the press for being easy to use and supported on a variety of operating systems. But side-by-side, the person managing a FW-1 has to be much much more experienced and careful to run that box securely than someone managing a Sidewinder. This is a combination of the following factors: 1) Sidewinder has the most secure operating system available for commercial firewalls, at least that I've seen. It implements kernel-based mandatory access controls (under Secure Computing's "Type Enforcement" patent) that severely limit access to components of the OS. It's based on BSD UNIX but extensively modified. It scares a lot of people off because it's UNIX, but the vast majority of system admin can be done with the GUI -- and you the end-user of the firewall are not responsible for securing the operating system. If you have UNIX experience, you will be able to work with it pretty easily. In contrast, FW-1 requires you to configure the operating system security yourself. There are plenty of resources available to help with that, but it's a significant amount of additional work. And you have to keep up with OS patches as well as FW-1 patches. Sidewinder rolls them both together. 2) FW-1 requires the administrator to explicitly >turn off< default services that are installed as soon as a rule is added to the security policy. Again, there are plenty of resources available to help walk you through this, but it annoys me that I have to do that extra work. Sidewinder installs with a default security policy in place, but you have to go in and enable the network services (proxies) before they're available to the internal users. I much prefer having to make a conscious decision to turn on things like DNS and ping than to have that decision made for me. 3) There are a variety of ways to verify that the security policy entered in the Sidewinder GUI is what the firewall is actually enforcing, including reading the policy database (which is close to natural language) and using UNIX tools like 'netstat.' FW-1's policy code (INSPECT) is harder to read. And as far as I've been able to figure out, there's not any easy way to confirm what services and rules are available to users from the OS. Systems that I can't independently verify make me very nervous. I could go on. But you get the point. Disclaimer: I do not represent either Checkpoint or Secure Computing. cheers -- Tina Bird On Tue, 1 Feb 2000, Korwin Elsa A CONTR wrote: > Date: Tue, 1 Feb 2000 16:05:39 -0600 > From: Korwin Elsa A CONTR <elsa.korwinat_private> > To: "'firewall-wizardsat_private'" <firewall-wizardsat_private> > Subject: Firewall setup > > Hello, I came across this firewall mailing list and thought perhaps someone > could help me out with my firewall. I currently work for a military > hospital that plans to setup a firewall for their traffic. All traffice > will go out to the internet via a T-3. > > My question is, which of the following firewalls will support my > infrastructure? > > Firewalls: > Checkpoint Firewall-1 > Sidewinder 4.1 > > > Infrastructure: > 1000 NT/95 workstations + 10 Windows NT servers > Access methond: Ethernet and fast ethernet > Media type: shielded twisted pair and F/O, where needed > > > Any info would be appreciated Thanks > > > > > Elsa A. Korwin, ACS Task Lead > > Information Systems Security Specialist > > Network Security.SGSI > > O-618-256-7322 F-618-256-7822 > > elsa.korwinat_private > > > > > "Doubt is an uncomfortable situation, but certainty is an absurd one." -- Voltaire
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:45 PDT