Date: 30 Jun 97 12:48:49 +0000From: manuel .
Does anyone have experience with Borderware Firewall?
If so, how where would you place it comparing to Raptor, Pix and FW-1 ?
Manuel Ricca (manuel .
ParaRede - Tecnologias de Comunicação, S.A.
Tel: +351 1 3020451
Fax: +351 1 3020444
Borderware runs on the intel platform only (Secure Computing recommends
a clone machine), some of the better known name brand machine like
Compaq will not work usually. Borderware is built on a bastion
implementation of BSD Unix which you have no access to.
BorderWare defines a new product category of firewalls by combining
packet filters and circuit-level gateways with application servers into
a single self-contained system. BorderWare includes a secure Mail
server, dual Name servers (internal and external), a News server, an
anonymous FTP server, a WWW server and a Finger information server which
you can choose to enable or disable. With the latest version Borderware
4.x, all configuration is done from a remote html browser which is
extremely slow! Their front end is all Java, using their html forms to
configure DNS for 15 zones took me all day just because the updates via
the browser were taking forever! I can configure the same DNS
information on UNIX or NT running either FW-1 or Raptor in an hour. Pix
does not run on top of an operating system, so DNS is configured
elsewhere. If you choose to enable the news server on Borderware, you
do take a peformance hit.
Based on my experience, Borderware is not an enterprise level firewall
server and it offers very little flexibility. It can support a maximum
of three interfaces: external, internal and ssn(a.k.a dmz). I would
position this product to customers who have no experience setting up
internet servers, DNS, MAIL, etc. Also, there is no internal
authentication capabilities with Borderware, no skey, secure-id, nothing
to authenticate your rules against. Raptor and FW-1 due offer
authentication. The logging capabilities are not as good as Raptors or
FW-1. Pix requires an syslog host for logging.
If you are like me, and like to see whats going on at a kernel level and
have access to modifiy your firewall system, Borderware will frustrate
you, you are completely locked into their interface, for some people
this is better, for others, it is not. PIX is a stateful packet filter
with support for Dynamic NAT and a failover port to support a standby
Pix server which is very nice. If you need extensive logging
information though, it comes up short. Also, Pix comes with no Proxies
and only supports two interfaces, I find myself having to supplement PIX
with several proxies. FW-1 also is a stateful packet filter with some
application software support for telnet, ftp and http. FW-1 offers a
lot of flexibility and can support various interfaces, good logging
capabilities, but no proxies. Also, FW-1v2.x does not integrate their
NAT configuration with their GUI, you have to set this up at the command
line. I here FW-1v3.x fixes this, but I can not comment on this yet. I
often supplement FW-1 with proxies. Raptor also has good logging
capabilities and has support for various interfaces, and it does come
with several proxies. Raptor being an application gateway firewall, NAT
is inherently built in to the product.
All products have support for VPN, remote managment and snmp traps.
Boni D. Bruno
Vice President of Engineering
Data Systems West,Inc. http://www.dsw.net
Phone: (818) 883-9800 x 225 email:bbruno @
fn: Boni Bruno
org: Data Systems West
adr: ;;21101 Oxnard Street;Woodlad Hills;CA;91367;
email;internet: bbruno @
title: Vice President of Engineering