|
Subject: |
RE: Borderware vs Firewall - 1 |
|
From: |
manuel .
ricca @
pararede .
pt |
|
Date: |
31 Dec 97 11:35:23 +0000 |
|
To: |
firewalls @
greatcircle .
com (Non Receipt Notification Requested) |
|
Alternate-recipient: |
Prohibited |
|
Autoforwarded: |
FALSE |
|
Conversion: |
Allowed |
|
Conversion-with-loss: |
Allowed |
|
Delivery-date: |
31 Dec 97 11:35:26 +0000 |
|
Importance: |
normal |
|
In-reply-to: |
</GUID:QaycTJTEyMzAyMzMwNDQtQg* /@MHS> |
|
Message-type: |
Multiple Part |
|
Original-encoded-information-types: |
Teletex |
|
X400-content-type: |
P2-1984 |
|
X400-mts-identifier: |
[/PRMD=pararede/ADMD=ip/C=pt;ISOCOR-34a993c3-Tubarao] |
|
X400-originator: |
manuel .
ricca @
pararede .
pt |
|
X400-received: |
by /PRMD=pararede/ADMD=ip/C=pt; Relayed; 31 Dec 97 11:35:23 +0000 |
|
X400-recipients: |
firewalls @
greatcircle .
com |
These are the (at least some of the) main features
Borderware:
-> Proxy-based (transparent proxies)
-> 3 interfaces: internal, external, SSN. The SSN is a DMZ specifically designed for outbound servers. From the internal's point of
view it's just like the external network and it implements MAT
-> It's based on BSDi but the kernel is hardened so that there are no write operations to the file system except for logging and upgrades. The
proxies are 'chrooted' so even if someone can get access in the firewall the only filesystem he will have access to is from the proxy
directory down
-> It has a split DNS
Firewall-1:
-> Packet filter with 'stateful multilayer inspection', i.e., connection state information
-> Unlimited number of interfaces
-> Can do NAT
-> It's modularized and you can even have your modules distributed (in the Enterprise version)
-> It has the INSPECT language, with which you can define rules based on some fields of a packet
-> It has 3 different authentication schemes: user authentication for HTTP, FTP, SMTP, rlogin and 2 or 3 more that I can't
remember right now, client authentication (this is done by telneting the firewall to port 259, and signing on - this will 'open'
the access rules that are defined for some user and that require this type of authentication - you then have to sign off when you're
done) - this applies to any service you want, and session authentication - this requires building an authentication 'agent' that you can
run at the source, destination or firewall host
Both have support for VPN (as option).
I see Borderware as a 'black box'. It's not as flexible as Firewall-1, but it does have the usual required funcionalities. It's also simpler to configure.
The OS is REALLY secure. Firewall-1 is more sophisticated. It would probably be a better choice for a big corporate network. For a medium
sized network I think Borderware is a great firewall. Secure Computing also has Sidewinder, which is also a hardened BSDi based firewall
but it allows more stuff than Borderware (ex., you can write shell scripts, it can have 4 interfaces and it does a few more things)
Hope this helps a little,
manuel
-----------------
Manuel Ricca
ParaRede - Tecnologias de Comunicação, S.A.
R. D. Constantino de Bragança, 12 1400 Lisboa Portugal
Tel: +351 1 3020451
Fax: +351 1 3020444
E-mail: manuel .
ricca @
pararede .
pt
-------------------
From: firewalls-owner @
GreatCircle .
COM
To: firewalls @
GreatCircle .
Com
Cc:
Subject: Borderware vs Firewall - 1
Date: 30-12-1997 23:30
Hi there . . .
I am looking to at a comparison of two Firewall products:
1/ Secure Computings Borderware
2/ Checkpoints Firewall - 1
________
H E L P
---------
Has anyone either have there own comparison OR an opinion (good/bad) on
the above products.
look forward to some answers . . . . . as these firewalls look good on
paper but how are they implemented.
thanks in advance for your help . .
Nigel Sanderson
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
|
|
