Re: appliance firewall



Thad Floryan wrote:
On May 11, 4:32 am, 1PW <barcrnahgjuvf...@xxxxxxx> wrote:
On 05/08/2009 05:21 AM, Thad Floryan sent:
[...]
Product longevity, reliability and low cost per year are big pluses.
It's truly a plug'n'play appliance. Mine's been up for 117 days now
and that's only because my local cable provider was offline for awhile
one evening back in February when they switched over to DOCSIS 3.0
and I didn't know what happened so I cycled the TZ-170; it normally
will stay up for years because mine is on a UPS.
Hello Thad:

I appreciate the thoughtful rebuttal. Your good experience has
obviously made you a supporter. Even at about $300, it's hard for /me/
to justify the outlay for the TZ-180. Particularly when other
residential grade routers are as inexpensive as they are.

You get what you pay for. For a revealing look at how vulnerable the
"residential grade routers" really are:

<http://www.sourcesec.com/Lab/soho_router_report.pdf>


These attacks are either by malicious users on the *inside* of the network, or simply weak passwords or WLAN encryption. Using a good WLAN encryption and password is always important - you need to configure that for any firewall/router. But for devices at this level, vulnerabilities from the inside are totally irrelevant to security.

If you *do* need to protect from malicious people on the inside, you have far bigger problems than your firewall, and no SonicWall, Cisco, or any other standard device at any price is going to do the job - you need a network expert, not an off-the-shelf solution.


and that's just the tip of the iceberg. I see those and similar
problems all the time. And even some "pro" devices have more than
their share of problems and vulnerabilities (think IOS from a bug,
er, big name in Internet hardware :-)

I simply haven't seen those kinds of problems with the Sonicwall
devices in the 17 years I've been using them, and I've personally
installed 100s at client sites over the years and I've never had a
client's site comprimized. Ever.


*No one* sees these problems (other than the weak encryption and passwords) in real life - they are hypothetical and require knowledgeable and malicious attackers on the inside. In networks where that is realistic (such as at universities), you have experts running the security, and they don't use ready-made ready-configured firewalls.

I've seen Sonicwall's in use. They work fine, and do a good job - but are pretty expensive for what they do. I personally would not recommend a firewall/router that had some artificial limit on the number of nodes or users (and I certainly wouldn't consider "cheating" to get round these limits - if you think the functionality is worth paying for it, pay for it). And I wouldn't recommend a system that required annual fees to keep working (paying annually for support is fair enough, obviously).

If you really need something better than a cheapo firewall/router, then get a slightly more expensive one - SonicWall is one option, as are Zyxel, LinkSys, and a host of other options. *None* are significantly more secure than the others, in that *all* do a perfectly good job of keep out packets from the outside. They vary in speed, features, configuration interfaces, etc. For some uses, additional features such as accountancy and user management are worth paying for - though they have nothing to do with security.

If you want more than that, get a Linux box and learn iptables. I can set up my LinkSys WRT54GL to something more flexible and at least as secure as anything you can buy from SonicWall at any price - because I run Linux on it and control it myself.

.



Relevant Pages

  • Re: ICMP (Ping)
    ... Paul Kurczaba wrote: ... > Are there any security issues for allowing a firewall/router to respond to ... technical IT security event. ... Symantec is the Diamond sponsor. ...
    (Security-Basics)
  • Distro for home firewall/router and possibly mail/web server?
    ... Anyone got experience or link to reviews or comparisons on what Linux ... firewall/router for my home LAN. ... I might want to add mail server, ... My main concerns are security and performance. ...
    (comp.security.firewalls)
  • Re: Can I protect my RedHat 7.2 box from port scanning?
    ... > software and if he wants using iptables. ... The easiest way, IMHO, for a DSL user to setup a decent security is to ... and yes, sure, no sweat - he can with an external firewall/router. ... Doing so he can leave all kinds of juicy RPC services running and no ...
    (comp.os.linux.security)
  • block internet connection - solved
    ... from the netgear FVS318 firewall/router to the mac address of a nic on a ... prospectus based upon the core principle concepts of security. ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
    (Security-Basics)