On Fri, 8 Dec 1995, Tim Richardson wrote:
> Hello All,
> I have some basic questions as a "newbie" to firewalls.
> First: What are the performance issues regarding some "turn-key" solutions
> that reside on PC's. Can they perform both packet filtering and application
> proxies responsibly given a T1 connection, Web access, etc?
> Second: Given a short time frame to implement a firewall solution for our
> company, does anyone have any feedback regarding solutions such as
> Cybergaurd and Gauntlet.
Well, as is said, "time is money". So if your time is short, throw some
money at your problem and implement the Gauntlet. The standard platform
for the Gauntlet is am Intel Pentium running BSDI. I consider that a PC,
I'm not certain if you would, too. The Gauntlet box can handle a T1 with
application proxies, Web access, etc. however I would rrecommend a separate
screening router sitting between the Gauntlet and the Internet connection.
> Third: Does a site necessarily need application level security? I think so,
> however others in our organization feel that routers offer ample security.
I'm not sure why people think that routers provide security. The basic
purpose of a router is to move packets between network interfaces. The
basic purpose of a security device like a firewall is to, on the other
hand, prevent the flow of packets between network interfaces. To me, they
appear different, in fact, almost directly opposite. A router performs a
set of valuable data communications functions and when the business needs
of you or your organization requires some or all of those functions, you
should use a router. A firewall performs a set of valuable data security
and data access control functions and when the business needs of your or
your organization requires some or all of those functions, you should use
a firewall. The Swiss Army methodology has its place when considering
knives. IMO, it is not a appropriate way to design and implement a
> I realize that relying on solutions such as these present additional
> problems, ie. control over what is originally implemented, security access,
> and so on. Can anyone shed some light on these topics.
In the case of the Gauntlet which is built with the "crystal box"
approach, (e.g. the customer gets _all_ of the source code), I believe
control over what is originally implemented _is_ in the hands of the
customer. Also since it is also based on the philosophy that the only
things that are permitted are those that have been specifically
authorized, what is originally implemented seems pretty safe to me since
in the case of the Gauntlet that is exactly nothing. Absolutely no
information will flow throught the Gauntlet unless you tell it to allow
specific information through. I'm not sure what you mean by your reference
to security access.
> Thanks in advance
**** cjolley @
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****