hardware firewall buying

You are incorrect - the device permits all outbound traffic, unless you've configured it to block outbound. The device also permits all forms of files to be downloaded via HTTP and SMTP.

So, to say that "Nothing" gets through is very misleading and only talking about 1 direction.

Reply to
Leythos
Loading thread data ...

Don't get me wrong, I think the BEFSX will do you fine too - you appear to understand the limitations of the "Firewall" part of the device, and how to take care of your network. Many people that have no such technical skills will not understand the different and it will not be enough protection for them.

Reply to
Leythos

I've never been hit, but I have been toying with viruses, trojans, and malware for nearly 17 years now just to see what it is they do. Partly because a good defense is to know what the offense is doing, but mostly because I am curious to a fault.

But I use Symantec Ghost religiously. Images are made daily, so restoring the system to a pristine state is easy.

There is the occasional flame war about the definition of the term firewall. Leythos is a purest and adamant about the definition. But that is just a difference of opinion and point of view. (The RFC2979 document, which defines anything with a packet filter as being a firewall is quite old after all.)

The fact remains that if you want reliable information about firewalls and security, Leythos is the one to ask.

Reply to
Spender

True. But in that case, even an upper end "true" firewall device will be useless since they will not take the time to learn how to configure it.

A desire to learn how to be secure is the first step towards security. But there will always be that clueless portion of PC users who don't give a thought to security until their system has every virus, trojan, and malware running.

That's a shame. Well, kind of a shame. Those people bought me a 2007 Dodge Charger with a 5.7L Hemi. Now when they have a problem, I can get there really fast. Hell, my draft will probably blow those little Geek Squad VW's off of the road...

Reply to
Spender

Nonsense, you have repeatedly expounded a thoroughly fallacious line on the matter and it's been found wanting.

Which proves sweet FA except that it can pass a test.

"may or may not"

Note the wriggling. Previously our friend has sworn blind that only ICSA certified solutions were really firewalls.

Now that Chocolate Fireguard products are uncertified, one can only wonder at the swinging in the wind.

More back peddling .

Passing certification does not and has never implied 'working properly' (your words, not mine)

Oh puhleeeze.

Au contraire, you have made that claim several times, would you like me to embarrass you further by quoting chapter and verse about alleged 'non firewalls'.

Our friend wriggles yet again.

greg

Reply to
Greg Hennessy

No, he's flogging a rather pedestrian line of applicances.

Except his answer changes everytime the flaws in his previous one is detailed.

Leythos still cannot explain why identical firewall code, identically configured on two platforms suddenly diverge into a firewall/'non firewall' state when only one of those platforms gains ICSAlabs certfication.

greg

Reply to
Greg Hennessy

As long as you play the "out of context" game I'm not going to keep discussing this with you.

I will say it again:

Having a certified appliance means that the device has performed as specified in the testing and is considered a valid firewall solution in the tested configuration.

Having a solution that has passed certification, but is configured differently than in the certified solution, does not mean that it is still a valid solution.

Having a dedicated firewall solution that was tested on platform X does not mean that the same software on platform Y will pass the tests that certified the first solution.

Having a firewall that has passed certification means that you can expect it to perform as tested and to protect aginst the threats it was tested against.

Having a certified solution means anyone can have an expectation that the solution will work as specified.

Having a non-certified solution does not mean that that the firewall will fail or will not protect the network, but, it does not mean that the firewall will protect the network either.

Having a non-certified solution also means that you have no basis to determine what threats will/will not impact the security of the solution that you've picked.

So, now you can pick parts of what I've written to try and make your lame case, but the fact still stands, a certified solution gives the correct expectation that the device/solution will protect the network, while an uncertified solution leaves that determination up to the individual building and configuring the solution.

Reply to
Leythos

Yes, I have, several times, and you keep ignoring it.

There is more to a firewall being secure than how you configure the firewall application itself. There are a number of variables that impact the solution, which you seem to not understand or which you want to ignore.

Reply to
Leythos

You haven't, I have asked the question several times.

How does ICSA certification make Checkpoint FW-1 running on SPLAT or Nortel ASF a 'firewall', when running identical code running on non ICSA certified Redhat, Nokia LIPSO or Crossbeam turns them into alleged 'non firewalls'.

Simple question. What is your answer relating to the 'specific' platforms mentioned above.

Which has absolutely sweet FA to do with ICSA labs and their certification.

Nebulous waffle.

Oh puhleeze, do not teach your grandmother how to suck eggs.

Reply to
Greg Hennessy

I have not quoted anything out of context, you have repeatedly asserted that the lack of certification somehow turns a firewalling product from a functional state into a non functional one. That's fact, you cannot deny it.

You have repeatedly shown a complete lack of comprehension w.r.t the operation of L3 packet filtering and even gone as far as to deny the relevant RFCs and supporting evidence from Ranum, Bellovin et al, all on the basis that the OSI documentation doesnt mention the term 'firewall' anywhere.

Rubbish, all that says is that it passed a test, a test the vendor paid ICSA to do.

It says absolutely nothing about the product being a 'valid firewall solution' in the real world.

You have been told this several times by yours truly and other posters.

Your self serving cluelessness on this and other security related topics is not the fault of the audience.

ISTR to remember that you're the 'expert' who advocated pointless MAC filtering with WPA when even a brief familiarisation of how WPA works, makes it self evident that WPA does implicit MAC filtering as standard.

[yet more self serving contradictory back peddling rubbish binned]
Reply to
Greg Hennessy

Lethois hasn't flogged the likes of the Linksys NAT routers. On the contrary he has stated quite clearly that they have their place and will function perfectly well for many home users.

I saw his explanation. Maybe you didn't read his response thoroughly. His idea is that the same code on different hardware might not work identically. One might meet certification tests, and one might not.

Reply to
Spender

He has repeatedly peddled Watchguard appliances purely on the basis that their more expensive models were 'certified'.

Wrong, if you read the documentary record he has claimed on several occasions that products without ICSA certification couldn't possibly be firewalls.

I did, it is complete uninformed bollocks. The guy makes authorative statements about platforms he knows absolutely nothing about.

Leythos has previously claimed that IPTables running on Sveasoft couldn't possibly be a valid firewall solution because it wasn't ICSAlabs certfied. When it was pointed out that ICSA certified Astaro ASL uses IPTables to implement its security policy, Leythos had no answer.

There is absolutely no difference between using ASL to create a secure policy versus using Smoothwall or sacrificing barnyard fowl to achieve the same end by hand on the exact same hardware.

Security is a process not a product. Leythos has previously claimed that IPFilter couldn't possibly be a valid firewall solution because it wasn't ICSA labs certified, when it was pointed out that Sun actively maintain and support IPFilter on Solaris as their preferred firewall solution, he changes the terms of reference to 'tested and inspected' by a 'reputable' company.

etc etc etc

His 'idea' says nothing of the sort,

Why is a 'certified' system running Checkpoint FW1 SecurePlatform a 'firewall', but the exact same code running on the exact same hardware hosted on a non certified Redhat install is a somehow 'non firewall', his words regarding all products without ICSAlabs certification not mine.

we are expected to believe that ISCA certification grants some level of fitness for purpose which in reality doesn't exist outside of configuring a submitted system + $10k to pass ICSAlabs certification.

greg

Reply to
Greg Hennessy

No, if you go back and check, I've said I pick WG over all other vendors products because of the features, the built-in proxy services, the fact that I can buy an new soft key to increase performance and features, that I get very good support, etc...

I also like that they are certified, in fact, it was one of the main reasons that I even tried them so many years ago, and it's also something I check on every 6 months or so. I've contacted WG and ISALabs

- WG was unaware that they had been dropped as their products have passed (current and past) and are contacting ISALabs.

No, I've claimed that they can't be certified as firewalls AND that you don't know that the device/solution actually performs as a firewall because there is no governing authority that has provided independent testing that it does meet the firewall claim.

No, I've never said that X product on Y platform, when X on Z was certified, was not a valid firewall, I've clearly said that you can't be sure.

You need to get back in to the actual discussion instead of your diversion - I'll say it again: Any certified solution is given a reason to believe that it will properly act as a firewall.

Any solution using PARTS of the certified solution, does not make that solution certified and does not give any reason to assume that it will also provide the SAME level of protection.

Now, no where in the two statements above have I said that X on Y is not a viable firewall solution.

If the solutions are not EXACTLY THE SAME, then there is no reason to expect them to work EXACTLY THE SAME.

Yes, and you appear to not understand certification or the reason for it.

I've not changed anything - read the above two statements and show where I've said that IPFilter on any platform was not a firewall solution - you can only show where I've said that if something does not pass certification or does not have certification, that you don't know if it will protect you.

Yes, it clearly does, and I've said it more than a dozen times.

Because the solution is DIFFERENT, NOT EXACTLY THE SAME, which means you don't have any expectation of the same level of protection.

You seem to have something other than discussion invested here - could it be that you have ties to some firewall solution that you're not telling us about?

Reply to
Leythos

You Sir, are not a particularly good liar.

You made every claim mentioned by yours truly in this thread

formatting link
or

formatting link
for those with wrapping issues.

The google record and ridiculous attempts to spin your way out of it speaks for itself.

greg

Reply to
Greg Hennessy

Since I've not making a statement of it being or not being a firewall, why do you keep trying to make it into that?

I've only, and continue to say, that a certified solutions means I have a valid expectation that the solution will meet the requirements as tested.

A non-certified solution means I have no testing/certification to provide me with an expectation that a solution is going to work. Do not take this as meaning that I'm saying a non-certified solution is NOT a firewall, I've not said that, you just keep missing what I'm saying and assuming that I'm saying that.

So, again, many firewalls that people use are not certified and they protect their networks as well as the people feel they need to be protected (at least they think they do), but this in no way means that the solutions work properly or don't work properly.

So, again, to make it simple for you - Certification gives a user the expectation that the solution will work as tested. Without certification you are on your own.

Reply to
Leythos

formatting link

Since you could not quote what I said, here it is:

== if you can't == post a link to a reputable company that certifies it as a firewall == then it's still just a test project or a hope-to-be firewall == solution.

And I stand by that statement - if the solution has not been tested, proven by an independent company, to protect the network, as designed/required, then you can call it anything you want, but it's just a test or a Hope-To-Be Firewall solution.

I can install FW-1 in an unsecure manner, on an improperly configured machine, and it won't be considered a firewall solution, it would be considered a MESS and an unsecured design. Like it or not, just because you use FW-1 or some other product that HAS been included in a test/validation, until your solution, as built, has been tested (or you use the solution that was tested), you don't really know what you've got, other than a bunch of hope and hot air.

Reply to
Leythos

formatting link
>

There you have it folks.

Cisco's ASA which is based on over a decades worth of PIX development is only a 'hope to be' firewall solution, because it's ICSAlabs certification is pending.

Darren Reeds IPFilter as shipped on Solaris as standard and supported by Sun as their preferred packet filtering solution is a 'hope to be' firewall solution.

I can well believe that.

That applies to all firewall installations, rendering the notion of anything being 'proven' by ICSAlabs certification superfluous.

Firewall-1 running on IPSO or Crossbeam are not ICSA certified solutions.

Note to the audience: Nokia IP Series and Crossbeam C/X series running Firewall-1 are the hosting platforms of choice for Banks, Telcos and other large enterprises who run Checkpoint software to protect their networks.

The 'expert' here has just deemed them 'hope to be' firewall solutions.

No more comment is necessary really.

ROTFL! I cannot believe he's coming out with the exact same b*llocks yet again.

How one possibly use 'the solution that was tested' when the security policy loaded onto said device will always be different ?

Oh Gawd. Here we go again argumentum ad nauseum, from the thread link I posted previously.

"I'll remind everyone that until it's been proven to be a firewall by some independent authority on the matter as accepted by the community, that it's not a firewall either. "

"As it is now, unless we inspect the code, line by line, and then run a battery of tests against the inside and outside interfaces, we don't know if it's a firewall. "

greg

Reply to
Greg Hennessy

Our hair splitting chum has said precisely that regarding non ICSA certified firewalls.

"I'll remind everyone that until it's been proven to be a firewall by some independent authority on the matter as accepted by the community, that it's not a firewall either. "

"As it is now, unless we inspect the code, line by line, and then run a battery of tests against the inside and outside interfaces, we don't know if it's a firewall. "

greg

Reply to
Greg Hennessy

Hi Spender !

Have a look at the TrendNet router TW100-BRV204. I like it very much - it has SPI, you can setup firewall rules for in and outgoing comm, and it even has VPN. I have used it for ½ year now and it performs well (I have tried to have about 30 connection open and active at the same time without any problems). I say Go Fore It ;-)

My regards Søren

"Spender" skrev i en meddelelse news: snipped-for-privacy@news.easynews.com...

Reply to
Søren Skovgaard

Yes, and how does that amount to flogging the lower end devices?

Whether or not he considers them to be real firewalls is just semantics. The RFC2979 document considers a simple packet filter to be a firewall. Regardless, Leythos has never said that a lower end unit can't provide security to a home user. He has simply pointed out that such units won't ever provide complete security.

And there is the rub. Since the code was not tested on any given unit, and peculiarities of a given system might cause the code to malfunction.

Sure he did. His answer was that the latter solution had not been tested and certified. He never said the solution won't or can't work. He just said it wasn't tested and certified.

Of course it is a process. But you had better make damn sure about the quality of the products you are using or your process might blow a gasket.

Pure nitpicking. Much ado over nothing if you ask me. Why does it upset you so much?

Reply to
Spender

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.