On May 10, 11:18am, Barry Lustig wrote:
> Subject: Re: Checkpoint FireWall-1 sanity check
>
> On Tue, 10 May 1994, Kevin Altis wrote:
>
> > Anybody here familiar with the Checkpoint FireWall-1 product? I can post a
> > press release if anyone is interested, but I just want to know if their
> > "unique, patent pending technology" is just so much hot air.
> >
>
> I talked with one of their guys at their booth at Interop. He,
> unfortunately couldn't answer my question about the "patent pending"
> technology. He did say that they do all of their filtering in the kernel
> and that the filtering module can keep some amount of history for
> additional decision making. It comes with a pretty GUI and runs on a
> SparcClassic.
>
>
> barry
>
>
>-- End of excerpt from Barry Lustig
You know, if you read Ches' and Belovin's book, this package disturbs me on
a stark level: all the pretty coding, GUIs, and so forth hide you from the
probable complexity of the code. And complexity = problems.
The firewall is not a system that needs an interactive GUI display, load
meters, and all the other hype displayed on a 17' color monitor. It is
a system that sits in a demilitarized area, protecting your net from the
world and vice versa. Its configuration is not an interactive, touchie-
feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO).
It should be secure (and complexity adds a whole level of assurance that
the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't,
last I checked.
I had quite an involved discussion with these gentlemen over dinner (their
booth at the show was shared by Global Enterprise Services (JvNCnet))--
concerning their view of firewalling in general, and their understanding of
the work that had gone on over here (CheckPoint.com is headquartered in
Israel, btw). They were unaware of much of the pioneering work done
at AT&T, DEC, and TIS, and what the technology, as well as the uses of
simple and manageable solutions without the overhead of all the fancy
interfaces and the like...
One thing that they didn't answer was my (admittedly baiting) question as
to why anyone would want to block UDP packets across the firewall...
IMO, they are not adding value to the discussion of firewalling in general,
and certainly not contributing any added value (unless you want to keep a
pretty display up on the screen with stop signs and green flags that tell
you what the firewall is doing...). Invest in solid hardware and simple,
easily configured software. Screw it down tight, and it will provide a
real firewall instead of a filter (which is what they are selling: a GUI-based
router filter...).
Just my $.02
--
Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338
#include <disclaimer> |Virtual: bdboyle @
erenj .
com
"If everyone is thinking alike, then someone isn't thinking." -Patton
Pardon me, I'm lost, can you direct me to the information superhighway?
Follow-Ups:
References:
|
|
