I just finished reading the glossies and the paper and I was
impresssed.
Date: Wed, 14 Sep 94 09:13:20 PDT
From: jeromie @
mmp .
com (jeromie)
Firewall-1 is a bum deal in my opinion. They claim to do secure
UDP packets to begin with (as we all know that is rather a pathetic
claim unless the link in encrypted). I called them on it. The
only thing they do to help insure security is to only open up the
ports when an outgoing call is made.
The main problem with UPD is allowing it in at all. With this
product an outgoing UPD service has a window of opportunity
back to the originating machine. As usual with help from the
inside this could be used to do very nasty things but otherwise
it is a better than allowing blocks of unprivileged UPD ports
back in.
IE: When FTP is started from the inside there is a port made
available for the return connection. Yes, this may be a good idea,
although I don't necessarily see it making it a 'secure'
connection.
Works the same way. Many people allow unpriviliged tcp ports
back in to enable FTP through the firewall. Even when that is
via a proxy. The dynamic nature of the windows which are being
opened in this product are the attraction.
The only good thing I would say for the company is the GUI is
nice..
The thing I really like is the control over the filtering
because the majority of it is being done on the bastion host not
on a router (which gives you ZERO logging capability). With
the filtering happening at the bastion host there are many more
options for logging.
Your firewall is only as good as it's logging. If you don't know
you door is being knocked on, and how it is being knocked on
then all you have is a smaller door which someone will squeeze
through and you will never know.
Cheers, Craig
Craig Bishop csb @
BarwonWater .
Vic .
Gov .
Au
Information Systems, Barwon Water Ph: +61 52 262506
61-67 Ryrie St Geelong 3220 Australia Fx: +61 52 218236
|
|
