Best way to go?

Maybe, the link will help you. And whatever you get make sure it's ICSA certified.

A software running on a host is only secure as you can make the host, including Linux.

Duane :)

KWF...

-Frank

Did you ever read the ICSA evaluation report they're so proud of? Better have a puke bag ready.

The ICSA evaluation report that includes the following?

That one?

-Frank

er

Mind you about the part "Criteria Violations and Resolutions"

| =B7 The product failed to log every ICMP message type.

Sorry, but that's simply lousy. Wipfw is 50KB in size and gets this right. One can only get this wrong by f****ng it up intentionally.

| =B7 The product was susceptible to a variety of trivial | Denial-of-Service attacks.

D'oh. In detail, it was SYN, UDP and ICMP floods as seen in the ealier report (use Google Cache). Loser quality at best, makes a secure system vulnerable in first place.

| =B7 The product incorrectly terminated TCP connections when sent | spoofed/invalid RST packets.

Even too stupid for TCP connection tracking.

Actually, one can see this evaluation that way:

- Evaluation finds that the product sucks.

- Vendor fixes the most obvious holes.

- Evaluator certifies that the patches work.

- Result #1: product gets certification

- Result #2: product still sucks

Not minding that ICSA Firewall Baseline Profile is just at the level of determining that a product doesn't suck totally and is sufficient for SOHO needs. I guess a college with ~1000 computers doesn't qualify for such low needs.

You cannot say that.

Most hardware appliances have the advantage, that you're getting a ready made box: it's comfortable.

To set up Free Software and free firewalling implementations on your own box has the advantage, that you exactly know, what's going on, including being able to read the source code.

I prefer the latter. Your choice.

Yours, VB.

Duane Arnold

Sure?

For sure not. Even some of the oldest TVs do employ software.

Such software is usually hard to notice because, in comparison to PC-based software, you'll never need to reset because of failure.

Depends. A ROM, even in shape of an EEPROM, is actually hardware-implemented software, as it's a hardware-connected flow control.

Pong was particularly interesting for that because it could be easily implemented with analogous signals without much need for discrete control flow.

A ROM is no more software than is a diskette or CD.

Software is not the same as electrical circuitry.

I don't believe that. Many TV devices are older than micro computing.

Yours, VB.

If you feel this way about ICSA certification, why did you bring it up?

-Frank

At first, this is not as bad as it means. I would require devices with ISCA or equivalent certification for any serious business, of course only after reading the evaluation.

But the point is that KFW is so proud of its certification and still sucks, whereas the certification proves that is sucks. Just as an argument to dismiss your bad suggestion.

I guess the bigger question is: Cheap KFW which sucks vs. good but expensive ISA 2004 vs. cheap netfilter on a Linux box or alike vs. expensive high-quality PIX? What about proxies and DNS?

Okay, we dissagree. You think it "sucks" (technical term?) and I don't. I'll leave it at that.

-Frank

Please let me re-write your comments without the obvious bias.

- Evaluation finds product does not meet ICSA cert criteria

- Vendor fixes problems and/or bugs

- Product gets certification.

You know as well as I do that if I searched the ICSA cert DB I could produce a scenario like this for virtually every major enterprise firewall out there. It's just part of the process.

-Frank

I can assure you that my oldest working TV does not employ software. Analog(ue) electronics only.

Yes failure doesn't need reset, just replacement of some part which failed due to insulation breakdown or dried up electrolyte or some other age related reason.

Ok so if I asked you to define exactly what software is, what would you say?

I don't know how the human brain works but do you think that there is any distinction between hardware and software in its working? Does the concept of software even apply?

Jason

PS I won't be here again until tomorrow earliest.

Generally you would want to split this function. Build a good perimeter

defense and build an IDS as a second project.

What you want is a good perimeter defense that meets your requirements.

The best solution would be to hire a security consultant to assist you indefining your specific requirements, writing an RFP and inviting several suppliers in to provide a proofof concept. The POC should demonstrate the ability of the product to meet those requirements. You should be sure that you define what your high availability requirements are and the size of your connectionn to the net. You also need to determine if you will have requirements for NAT and specialized applications.

As far as contenders I would look at

Checkpoint Cisco PIX Netscreen

There may be others but the majority of enterprise solutions use these as the basis. In any case, select a solution that will allow you to i mplement your security policy and administer it easily.

Yeah, but the triviality of the flaws and therefore the lack of previous quality assurance is devasting.