Re: firewall survey

• Previous message: C. Linus Hicks: "Re: how to set up wireless network connection in Fedro 2"
• In reply to: Dana Holland: "firewall survey"
• Next in thread: Nathaniel Hall: "Re: firewall survey"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: dana.holland@navarrocollege.edu, General Red Hat Linux discussion list <redhat-list@redhat.com>
Date: Thu, 25 Nov 2004 19:20:09 -0800

Hi,
see inserted replies....

On November 25, 2004 01:00 pm, Dana Holland wrote:
> Although this isn't entirely on topic for this list, I thought this
> would be an excellent group to ask...
>
> As our college prepares for reaccreditation, we're starting to evaluate
> some of our internal processes. I'm trying to compare what we do with
> others when it comes to technology, so I've designed a little survey
> dedicated to just one decision-making process you might have to go
> through. If you have time to answer these questions, it would be very
> much appreciated.
>
> 1. Does your institution/organization use a firewall at the enterprise
> level (institution-wide)?

a) at work we use an ACL on a cisco router with firewalls on local servers
b) at home (just as serious/important) I use a dedicated linux box for a fw.

>
> 2. Do you use a commercial product or a self-built product?

The fw's used on servers at work are all IPtables (more correctly NetFilter &
IPtables) for Linux, and for Solaris we use ...can't remember the name but it
is similar OSS (non-commecial). I use home grown scripts to manage iptables.

Same for home (but pure linux:-)

>
> 3. Is your firewall considered to be a hardware appliance or a software
> solution?

a) at work, of course the cisco routers are hardware (running software:)
   -the IPtables on a server (or workstation) is a software solution.

b) my home firewall is a software solution (IPtables on Linux). Although, as
it is a dedicated headless box with little other functionality, it could be
considered an appliance.

>
> 4. Related to question 3, do you feel that one is better than the
> other? Why or why not?

There may be speed advantages to hardware solutions that are based on a ASIC
(application specific integrated circuit) as they have little overhead.
However, using a barebones linux box you can get very good performance and
any loss is easily offset in the granularity and flexability of a software
solution. Also, from a security aspect, sometimes vendors of proprietary
solutions are not as forth coming as they could be when it comes to reporting
vulnerabilities.

>
> 5. What factors are involved in your decision to choose a firewall?

Most important is reliability and ability to maintain it. Not necessarily ease
of maintenance but understanding the underlying process so you can
troubleshoot and react to (planned or imposed) changes.

>
> 6. Do you have a formal management process for evaluating a firewall?
> If so, would you be willing to share it?

We don't have a formal process.

Typically, it is the configuration that you are concerned with (plus stable &
fast), so any scans or penetration testing would really be checking the rules
(not the FW persay) unless there is a unpatched vulnerability in the fw.

>
> 7. Obviously, cost and personnel experience are major factors when
> choosing a firewall? Are there other factors that are just as important?

Experience and solid understanding of the how to write, maintain and review
firewall rules is extremely important. You must be able to say for sure if
the fw is blocking a broken service as that is the usual first suspect. You
need to know with certainty because you can't be stopping the firewall just
to prove it isn't the problem. (fyi, i find tcpwrappers is often overlooked
when sorting out connectivity of a new service).

I think cost should be a consideration in respect to the ability to buy a
firewall (or train/outsource), however, remember what your looking for,
protection not savings! I preffer IPtables, despite the free price tag,
simply because it is simple to add/remove/alter rules as needed, is well
maintained, and has plenty of community support. I do not encourage the use
of the front-ends that restrict the granularity or creation of custom rules,
hinder a learning of the process of IPtables for new users, or that create
there own non-standard config files. If a front-end exists that simply
creates/inserts an iptables command line entry, that would be a good tool.
One of the best things about IPtables is you can create and run your own
script with lots of comments and custom rules, include keywords for grepping
log entries, and react to emergencies very quickly.

Given that the cost is ok and that you have ample experience on staff, then
the single most important aspect would probably be flexability. Meaning the
ability to create custom rules in very little time, with minimal impact on
the network. Actually although that is a single factor, it is determined by
both the firewall and the admins experience.

I worked one place and they had to reboot the firewall box in order to
impliment new rules. That may have been either the fw, the os or the admin
that caused this requirement, but I think either way it was unaceptable.

You may also be looking for more than a fw, and may be concerned with
email/spam filtering, vpn connections, etc.

>
> Thanks in advance for your help.
> --
> ************************************************************
> Dana Holland dana.holland@navarrocollege.edu 903-875-7355
> Navarro College Corsicana, TX
> http://www.navarrocollege.edu/staff_pages/dana/dana.html
> ************************************************************
> All opinions stated are my own, and probably don't even
> vaguely resemble those of Navarro College. :)

Hope that helps.

-- 
Pete Nesbitt, rhce
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

• Previous message: C. Linus Hicks: "Re: how to set up wireless network connection in Fedro 2"
• In reply to: Dana Holland: "firewall survey"
• Next in thread: Nathaniel Hall: "Re: firewall survey"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]