Just a hearsay: two, among the FW-1 biggest problems I heard of.
1) It doesn't harden the system (Unix or NT or whatever it runs/will run
on) by itself: it's up to the security admin to harden it: what if he/she
is not so smart to do it properly?
2) setting up the rules is a real headache, most of it defining all the
objects that make up the network. And everything which is difficult to
implement is error prone.
Can anyone confirm this hearsay?
Hope this will light up a fiery discussion: I love fights (when not
> Da: Dave Elfering <elfering @
> A: Firewalls @
> Oggetto: Firewall-1, packet -VS- Proxy
> Data: sabato 4 ottobre 1997 5.35
> I've been wallowing in an analysis paralysis between Firewall-1 and one
> or two other firewalls (ok...Gauntlet & CyberGuard..you twisted my arm).
> I've been leaning toward Gauntlet, partially based upon an a suspicion I
> have of a packet filtering product like Firewall-1. There seem to be
> little whisperings about possible exploits for the packet based
> products, yet I've not seen anything substantial to back that up.
> Is there anything to all this? No I don't care to discuss the fact that
> Checkpoint is an Israeli company (or whether Marcus Ranum works for the
> Masaad :) . I really mean to find out if FW1 and stateful inspection are
> any less "secure" than a proxy technology like Gauntlet. I've always
> told management that the biggest risk with any of these products is
> proper setup and administration, not the actual firewall technology.
> Feedback, tips and tea leave readings welcome...
> Dave Elfering
> elfering @