Well.... I think it is also a case of being able to keep the box in a state that is secure. I have found it a nightmare to maintain Solaris boxes that are hardened, and one always feels that although they nay have been hardened well originally are they still as secure? And how can you be sure etc... It just generates a great deal of admin overhead which can in turn result in less secure boxes rather than more secure ones. just my tuppence worth That said I would still not choose a FW-1 system as I do not believe it has a transparent enough security model (too many implied/secret rules aka black magic, "well it is working now but I am b#$%^ed if I know how I got it into this state" ;-) maybe I need a holiday PS sorry for flicking this at you origanlly and not the list Mikeal mind not able to multitask ;-) >>> Mikael Olsson <mikael.olssonat_private> 10/15/02 07:31a.m. >>> Dominic Malig wrote: > > [...] appliance vs software firewall 'which is better' [...] Given that we tout both software packages and appliances, I think I can authoratively say that there is virtually zero difference between the concepts. For _our_ stuff, the only difference is that we know beforehand that the software works reasonably well with the hardware. So, a generalistic discussion about software/appliance is pretty much a moot point. Now, if you want to discuss pros and cons of software/appliance for specific firewall vendors, I'm sure we can come up with more interesting points. For instance, I believe that most people will get a more secure solution if they buy FW-1 on a Nokia box, rather than setting FW-1 up on Solaris, or (horror!) NT for that matter. Why? I believe Nokia does a good job of hardening their boxes; likely a better job than most people can do hardening Solaris/NT boxes. That is not to say that someone really clueful can't harden a Solaris box better, given enough time, but that's generally speaking not the case. On the other hand, I'd say that f.i. FW-1/Gauntlet/Raptor on NT has better chances of securing your network properly than, for instance, a "Netgear broadband router with firewall functionality", even though the latter is an appliance. ... want me to keep ranting? :) /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 20:48:39 PDT