Hi,
Glad that somebody bring up this thread. I am also evaluating a box - Firebox
from Watchguard.
This box seems to have great vision in mind. I feel that they are try hard to
push firwall to commodity level.
Their solution is kind of neat to me. They have a box which run a "harden" Linux
kernel, this sounds to me a good edge, it is base in UNIX, a lot of people know
it and probably when there is security hole, it will be identified quick and
potentially closed quick (owing to the accessibility of source code by WORLD of
experts). You can constantly bugging your vendor of any security hole that you
know from any souce, like this list. This seems to better with PIX as you depend
soly on CISCO for any fix which they may not even ACTIVELY inform you. That
serves as the hardware part of the whole solution.
The software bit is also neat, as the company's commodity focus, they based their
Security Management Software (SMS) on readily available platform, Win 95, Win NT
4.0 & Red head Linux with X. As I should have point out the Firebox need a FLOPPY
to boot up the SMS provide a wizard like tools to walk you thru the BASIC
configuration. After that you can create your BOOT FLOPPY to boot up the
firewall. Upon initial boot up you can canfig the box thru network thru SECURE
channel.
Most importantly it got a very reasonable price range. I personaly feel a great
future for this product in the ever blooming market especially those enterprises
who can't afford the luxuary of UNIX proficient security expert, not to mention
the expensive UNIX workstation which most high end firwall solution RECOMMEND.
I do hope you guys can give me some guild line to METHODOLIGICALLY test the
Firbox - not firewall ;-).
Best regards
Emmanuel
Lars Bertelsen wrote:
> In your message you write:
>
> Black boxes may have holes in them too. Blackboxes run off software and
> software has bugs!
> Cisco have made many bugfixes to their operating system over time.
> Oh, and Cisco's run on a small unix or very unix-like OS!
> The difference between Unix based firewalls and blackboxes in this respect
> is that if a blackbox has a hole in it, only the manufacturer can confirm
> and fix it. It is not that holes aren't existant!
>
> Oh, and Unix doesn't have security holes as far as I know... Certain
> servers running under Unix have security holes, but that is something
> entirely different. Don't run anything on your Unix boxwhich isn't both
> safe and necessary!
> That way Unix is safe.
>
> >2. black-boxes require less time to manage reducing the need for
> >firewall/security staff.
> No comment. I haven't set up a Cisco PIX.
> But I would assume that if it does as many things as a Unix based firewall
> the it will take roughly as much setup and maintainence.
> A router takes less setup than an application-firewall because it only does
> one thing: Filter on packets.
>
> >
> >3. Unix based firewalls are more flexable as they can be tailored to the
> >specific application better then what the "black-box" designers decided was
> >needed.
> True. You can install and deinstall just what you want on a Unix box.
>
> Which sort og introduces :
> 4) Blackboxes are safer in inexperienced hands because you _can't_ change
> so much about them!
>
> Lars Bertelsen
> Gartnervang 29 tlf. 4635 1115
> 4000 Roskilde, DK e-mail of choice: lbe @
login .
dknet .
dk
Follow-Ups:
References:
|
|
