1) It doesn't harden the system (Unix or NT or whatever it runs/will run
on) by itself: it's up to the security admin to harden it: what if
is not so smart to do it properly?
1: Firewall-1 does install a kernel driver between the NIC driver and
the OS. (except on HPUX). So at least in theory the OS should be
protected by whatever the firewall itself is hardened against. As for
the sys admin not being smart enough to do it, well, companies get what
they pay for.
If the admin person isn't savvy enough to do it right, then that's not
the fault of the firewall. Personally I find it appalling that someone
would claim to be an administrator of their company's network security
and take it on blind faith that a product protects them as claimed (or
for that matter does anything as claimed). So what if one firewall says
it hardens the system it's on? What exactly does that mean anyway? Do
>>you<< know? In my opinion, the cost of a firewall product itself is
only part of the equation, the other half is cost of testing the product
once it's setup. If you are not willing to fork over $$$ (beit time,
resources, product or services) then it really doesn't matter if someone
tells you the system was automagically "hardened" does it?
2) setting up the rules is a real headache, most of it defining all the
objects that make up the network. And everything which is difficult to
implement is error prone.
2: Setting up rules in Firewall-1 is easier than the other 1/2 dozen
firewall's I've used and looked at. First off, Firewall-1 is cabable if
resolving network names just as any other system would, through DNS,
HOSTS, NIS or SNMP. If the rest of your network is running properly,
defining network objects is nothing more difficult than telling
Firewall-1 what the name of the system is, and letting it do all the
hard stuff (like remembering IP addresses). The only objects that need
to be defined are the ones that are directly affected by the rules
policy. If you wish to define a global rule based on a subnet, then you
define the subnet, then all systems in that subnet are affected by the
rule in question.
As for the previous poster, I don't think that I would decide on
Gauntlet unless I had already put a few more firewalls on a testbed.
Gauntlet is rated fairly well as far as security goes, but it's
performance figures suck. It drops packets left and right when under
high loads. If you want a contact # of a rep I know that would be happy
to get you eval copies of just about anything drop me an email. As for
the systems >>I<< would personally look at I would start with:
Firewall-1, AltaVista, Raptor, Gauntlet, Cisco PIX (hardware).
I would avoid at all costs:
Borderware (and probably sidewinder too) and On Track's OnGaurd. E-mail
me for details if you need them.