It is possible, Bryan, that you spoke with the wrong guy. Check Point
did not have all of their people at Interop. The people we've talked
to seem pretty clueful.
I'm not selling their stuff, here. I have stuff of my own to sell.
:-) But, the complexity of the management interface probably should
not be considered part of the equation. Or maybe it should but it
should bre pointed out that it might serve to CLARIFY things rather
than make things more complex. Complexity in management of security
procedures and practices also is coutner to good security.
I haven't looked at their code. It employs filtering and
philosophically I (we, TIS -- and smb and ches for that matter and
others) don't want to trust filtering alone; I don't want to have to
have direct connections between the outside and the inside. But that
is a philosophy that some (:-)) on this list disagree with.
> You know, if you read Ches' and Belovin's book, this package disturbs me on
> a stark level: all the pretty coding, GUIs, and so forth hide you from the
> probable complexity of the code. And complexity = problems.
>
> The firewall is not a system that needs an interactive GUI display, load
> meters, and all the other hype displayed on a 17' color monitor. It is
> a system that sits in a demilitarized area, protecting your net from the
> world and vice versa. Its configuration is not an interactive, touchie-
> feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO).
> It should be secure (and complexity adds a whole level of assurance that
> the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't,
> last I checked.
>
> I had quite an involved discussion with these gentlemen over dinner (their
> booth at the show was shared by Global Enterprise Services (JvNCnet))--
> concerning their view of firewalling in general, and their understanding of
> the work that had gone on over here (CheckPoint.com is headquartered in
> Israel, btw). They were unaware of much of the pioneering work done
> at AT&T, DEC, and TIS, and what the technology, as well as the uses of
> simple and manageable solutions without the overhead of all the fancy
> interfaces and the like...
>
> One thing that they didn't answer was my (admittedly baiting) question as
> to why anyone would want to block UDP packets across the firewall...
>
> IMO, they are not adding value to the discussion of firewalling in general,
> and certainly not contributing any added value (unless you want to keep a
> pretty display up on the screen with stop signs and green flags that tell
> you what the firewall is doing...). Invest in solid hardware and simple,
> easily configured software. Screw it down tight, and it will provide a
> real firewall instead of a filter (which is what they are selling: a GUI-based
> router filter...).
>
> Just my $.02
>
> --
> Bryan D. Boyle |Physical: ER&E, Clinton, NJ (908) 730-3338
> #include <disclaimer> |Virtual: bdboyle @
erenj .
com
> "If everyone is thinking alike, then someone isn't thinking." -Patton
> Pardon me, I'm lost, can you direct me to the information superhighway?
References:
|
|
