What remote management client -- it's browser based. Any browser that can handle java should be fine. It's not dependant on your OS in any way.
If you're talking about the enterprise manager, that's for managing fleets of firewalls, which you're not doing.
There is a log program you can buy that's windows based, but your favorite solaris syslog program will work fine.
You can quiz me offline or here about the FG -- I've done *lots* of work with them, and I'm a big fan.
-Russ.
I've recently agreed to do some development and test work for a non-profit organization, and am configuring my home site as a full internet site. In discussing this with my upstream provider's networking honcho, who is also my neighbor, we identified "a better firewall" than the D-Link DI808-HV I'd been using, and he is very high on Fortinet. However, his operation is primarily Windows, and I am
100% Solaris 8/9 running on Sun Ultrsparc hardware, currently a 4-node setup.Looking over the current hardware firewall scene, Cisco offers the PIX 501, which is a bit limited for my needs, and the next step up is the 515E, which is much too big and expensive. Similarly with Sonicwall, I was underwhelmed by the TZ170 (against the PIX 501), and their next step up is the PRO-2040. Anyway, I decided to look at Fortinet, and it looks as though their model 60 might be a good box for me to consider.
I put in a call to Fortinet sales, after looking at their website and identifying at least one item (their remote managment client) that was Microsoft-specific. I'm awaiting a definitive answer from their technical people on Solaris compatibility (i.e., how much longer is their exception list) before considering their box any further.
I don't know anyone else besides my neighbor who is running Fortinet appliances----everyone else has Ciscos, and there is a part of me that says "don't gamble---buy a 501 and live within its limits for a year or two, then replace it---there is sure to be something better that isn't $2K+ or Windows-targeted by then." The other half says that for a couple hundred more, I can use the Fortigate 60 added capabilities---if it will run with Solaris, and is as good as they claim.
While nobody ever got fired for buying Cisco, I'm retired, and doing this just to keep my hand in, in a very rural part of the country, and feel a bit blessed to have high speed internet access from a local provider. I think I'm this outfit's only Unix-based customer. And I'm really wondering which way I should jump. I'm not going to spend a lot of time and money on buying even an el-cheapo windows consumer mox and learning how to use it (which I already know is a nasty affair for a Unix guy), and 45 years in the computer business was enough.
So my question really is whether to gamble on the Fortigate 60 working well for me, or just settle for the Pix 501?
Hank
In article , Henry van Cleef wrote: :Looking over the current hardware firewall scene, Cisco offers the :PIX 501, which is a bit limited for my needs, and the next step up is :the 515E, which is much too big and expensive.
The 506E is inbetween. It is fixed configuration (2 interfaces), but noticably faster than the 501 and does not have a limit on the number of inside hosts. It does support adding two 802.1Q "logical" interfaces, so if you happen to have VLANable infrastructure it can act as a DMZ.
hi henry
if you are running solaris - as we too, in an 100% solaris server environment - you have some choices for firewalls.
- checkpoint fw , for me the best one ever seen, but also the price is high end
- sunscreen, if you are using sol 9 it is delivered with your solaris os. i am sure, it will fit your requirements. it's not so bad, as some people say.
- ip-filter, if you change to sol 10 also part of your os and free as sunscreen.
- any external fw, and pix is has sure a well price-performance ratio
best regards hans
Hans
Have you looked at the Sidewinder G2? Built on SecureOS TM Never been hacked
To borrow freely, "there are two kinds of operating systems - those that have been hacked, and those that will be".
I could introduce the crappiest, buggiest OS tomorrow and say it's "never been hacked". You have to look deeper than that, to see what processes are in place at the developers' offices to make sure that the OS is secured.
Finally, of course, there's the issue that the OS doesn't need to be hacked, if the people can be - and if the OS is too difficult to understand, the people will be easier to hack, because they don't always know what they are doing.
Alun. ~~~~
And a third kind -- the ones not connected to any network and protected by armed guards.
Sorry, the Sidewinder remote management client only runs on Windows:
You do realize how long Secure Computing (SCC) has been in business, and how long they have been shipping "SecureOS", their own in-house BSD variant?
I'm not going to quote marketing literature about how wonderful the Sidewinder product is; as a customer I've had a few bad days (and nights, and days that ran into the night) with this product -- but I can say the same for every commercial or free security product I have deployed. No "security" product can be perfectly flawless.
I will say "Sidewinder G2 is not as sucky as the average firewall appliance", and they can quote me on that.
Which is why I use OpenBSD, and actually examine the source myself when I am feeling really paranoid. Unfortunatley, Secure Computing doesn't publish the source to their custom BSD variant, and really doesn't encourage customers to treat SecureOS as an OS, but rather as a closed platform more like Cisco's PIX-OS.
the processes in place at SCC.
IMHO, that sentence is too difficult to understand. Sidewinder G2 is sold as an appliance firewall, and customers are encouraged to use the pretty (Windows 2000 or XP only!) GUI and not worry about whether they understand the OS. This (in theory) also makes it really easy to replace your firewall administrators with point-and-click NOC monkeys when budgets get tight.
Kevin Kadow
-- Moderator, unofficial Sidewinder Users group
Then it's still not the OS' success that it hasn't been hacked.
Not that I'm saying that an unplugged, physically secured OS is a bad thing, mind you - just that under those conditions, Windows 3.1 qualifies, too.
Yes - my comment was made as _contrast_ - to indicate that "never been hacked" is only impressive if you multiply the number of users by the number of years that they've used the OS. [Perhaps throw in a fudge-factor based on the level of skill of the users, and how exposed their systems are]
"Never been hacked" by itself is relatively meaningless.
Yeah - some vendors seem to think that "security" equates to "unusable", and they make their interfaces impenetrable, and the documentation more so. And don't let's get started on the home firewall/routers, where it's clear that there's one configuration they tested, and if you're not running with that setup, you're screwed.
At some point, you do have to trust that the vendor is doing a better job of source analysis and investigation than you can. After all, if you were as good at it as they are, that'd be you making and selling the secure operating system.
That's an important issue - what processes are in place. It's one thing to not be hacked, but eventually a hack is going to happen, and whether or not you are ready to deal with it is a very important question.
:-)
That's wonderful. Trust your security to a device configured and maintained by "monkeys".
Alun. ~~~~ [Please don't email posters, if a Usenet response is appropriate.]
Thanks for the comments, Hans. I'm locked into Solaris 8 (client requirements) and 9 (Ultrasparc 1 hardware), and am familiar with Sunscreen. Properly configured, Sunscreen does a good job.
Those touting the Sidewinder G2 are talking about an appliance that is Microsoft-specific, and not usable in my shop.
My upstream provider is very strong on Fortigates, and I think there are some things to like about the 60 as opposed to the PIX 501. I've cut the consideration list down to the PIX 501 and Fortigate 60 and right now am very inclined to run with the Fortigate.
Hank
I use a lot of them in a lot of settings, and I doubt you'll be unhappy with the choice of the Fortigate.
-Russ.
hose touting the Sidewinder G2 are talking about an appliance that is
The Sidewinder G2 is not Microsoft-Specific. The G2 runs on a Harden SecureOS(TM) based on the BSD Kernel.
I'm not even very comfortable calling a PC running an OS and a Software load an appliance.
-Russ.
But you will Recommend:
"- checkpoint fw , for me the best one ever seen" I am assuming on Solaris OS.
Let see:
Application layer-- Statefull Inspection What is more secure for me?
How much is my data really worth?
Patch the OS..... Patch Checkpoint. . New Vulnerabilitie Patch OS Patch Checkpoint.
Problem exist:
Call Checkpoint-- That is not or problem that is an OS problem
Call Sun. the problem lies in the Checkpoint Software.
I know I went down that road with Gauntlet.
Look at all the Vulnerabilities on Checkpoint compaired to the G2.
Look at the EAL, Common Criteria, NIAP and Robust of the two or any of the Firewalls that are on the Market.
What other firewall on the Market is EAL 5+ for vulnerability and Penetration tested by the NSA?
So call it what you will.. But it is still the Worlds Most Secure Firewall!
When the firewall policies are decided by a committee, arguably the lowest form of intelligence on the planet, why not use a higher form of life to implement and maintain them?
K
Sorry Mr. Pee Freely, I'm not sure what your point is with all the above in terms of a reply to me, perhaps a general statement. I don't advance using Gauntlet, Checkpoint, or any of the other things you mention. I prefer Fortinet Firewalls. They have NSS, ICSA, Common Criteria, etc certification.
Fortinets have EAL-4 certification, perhaps you'd be kind enough to educate us all on what the difference is between that and EAL 5+. I don't tend to get wrapped up in certifications, I leave those to the marketing folks.
I will ask you, what happens when your hard drive fails in your firewall?
-Russ.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.