> You know, if you read Ches' and Belovin's book, this package disturbs me on
> a stark level: all the pretty coding, GUIs, and so forth hide you from the
> probable complexity of the code. And complexity = problems.
The GUI is exceedingly clear and straightforward. I am not concerned
about "complexity of [the] code", probable or otherwise. I AM quite
concerned, however, about controlling who accesses our corporate
network, from where, to do what, etc., etc.
I have been using CheckPoint Software's FireWall-1 product, as a beta-
tester, for more than half-a-year now. When I initially set-up our
firewall, I used a combination of Wietse Venema's tcpd-wrapper and
Marcus J. Ranum's FireWall ToolKit. They worked well, but tcpd-wrapper
was difficult to maintain in a heterogeneous environment (Sun, AIX,
HPUX, PC), across an ever-growing number of hosts (yes, complexity DOES
= problems :)
> The firewall is not a system that needs an interactive GUI display, load
> meters, and all the other hype displayed on a 17' color monitor. It is
> a system that sits in a demilitarized area, protecting your net from the
> world and vice versa. Its configuration is not an interactive, touchie-
> feelie, contant tweaking situation (or it shouldn't be, IM not-so-HO).
> It should be secure (and complexity adds a whole level of assurance that
> the code is NOT able to be fully vetted) and STABLE. SunOS/Solaris isn't,
> last I checked.
A firewall needs *exactly* what it needs to enable its configurer(s)/
maintainer(s) to provide for its "care-and-feeding" -- not that
FireWall-1 has any "load meters... [or] all the other hype...".
My job is to administer our corporate system/network, to work with my
employer's department/project heads and plan for the system/network's
near- and long-term growth, and to provide (within the constraints of
my humanness) realtime user-support.
CheckPoint Software's FireWall-1 helps me to do that. Period.
I have to add/(re)move hosts on a regular basis; I have to allow access
from external hosts at an ever-growing number of external (local and
international) sites with whom we are involved in the joint-development
of software projects, and for whose products (Informix, for one) we are
the sole Israeli representative; I have to allow access from external
hosts to an ever-growing number of employees who are also external
users, who want to log-in from their accounts at Israeli universities,
as well as from customer sites; and so-on and so-forth...
This is a perfectly normal situation in a commercial environment, and
it is my job to make sure that even on such a large drum as this one
the lid stays screwed-down tight.
CheckPoint Software's FireWall-1 helps me to do that. Period.
I also use the tn-/ftp-/rlogin-gw clients from TIS's FireWall ToolKit,
and would like it *very* much if it was integrated via the GUI with
FireWall-1...
However; FireWall-1 *does* have a command-line interface, and from it
I can (and do -- especially when logged-in from home and working on my
VT220) do everything that I do from its GUI (with the exception of
filtering the logfile output.
I run it on our firewall -- a Sun SPARCstation 1+ w/24MB RAM and a
monochrome monitor -- and using both source- and source-/destination-
packet filtering I have suffered no throughput problems.
> I had quite an involved discussion with these gentlemen over dinner (their
> booth at the show was shared by Global Enterprise Services (JvNCnet))--
> concerning their view of firewalling in general, and their understanding of
> the work that had gone on over here (CheckPoint.com is headquartered in
> Israel, btw). They were unaware of much of the pioneering work done
> at AT&T, DEC, and TIS, and what the technology, as well as the uses of
> simple and manageable solutions without the overhead of all the fancy
> interfaces and the like...
Now, perhaps, you are aware of one part of the continuing work done
over here (CheckPoint Software *is* headquartered in Israel, together
with Intel's 386/486 development center, among other departments...)
> One thing that they didn't answer was my (admittedly baiting) question as
> to why anyone would want to block UDP packets across the firewall...
Well, if keeping score, and if (master)baiting is your thing, than
that's great.
> IMO, they are not adding value to the discussion of firewalling in general,
> and certainly not contributing any added value (unless you want to keep a
> pretty display up on the screen with stop signs and green flags that tell
> you what the firewall is doing...). Invest in solid hardware and simple,
> easily configured software. Screw it down tight, and it will provide a
> real firewall instead of a filter (which is what they are selling: a GUI-
> based router filter...).
Perhaps not to the "discussion", but to the "real-life stories of
honest, working-class sys/network admins" the add *plenty* of value.
FireWall-1 has been in daily use not only at our site, but also (for
the same half-year) at Motorola's center here in Tel-Aviv (with over
300 Unix hosts), at Tadiran (similar setup), at Sun's Israeli center,
and at numerous other small- and middle-sized operations.
I know this, 'cuz I am in daily contact with the sys/network admins
at these sites.
Uh-h-h, no -- they are selling a kernel-based router-filter, which
happens to include one helluva user-friendly GUI-based rule-editor.
You write "...Invest in solid hardware and simple, easily configured
software." Well, that's *exactly* what we (and others) have done, by
purchasing and installing FireWall-1.
Your opinion is just that, and no more. For facts, ask the men (and
women) who own/drive/smoke one.
---------------------------horen @
applicom .
co .
il---------------------------
Jonathan B. Horen
Sr. System Administrator
Applicom Systems, Ltd.
Follow-Ups:
|
|
