True but nowhere near the scale of those found on OS based firewalls.
Errr, no, case in point Cisco PIX501 vs Netscreen 5GT and TZ170, look at the performance specs.
Really, do tell how you get Checkpoint on an Windows box going then?
When was the last time you looked, and what have you looked at? It seems your knowledge may be out of date (heres a hint I've already mentioned a product several times).
Sorry, I come across Linux boxes like that all the time, and watch em get bined.
Ahh huh, looks like your another Linux fan who has no experience on the other stuff available.
No its not. Its IDP. Learn the difference.
Please, get your head out of your backside.
All you're doing is proving you think linux is the be all and end all without any knowledge of the other products out in the world.
Ahh what about PIX's then.
They're all PC's too, not sure what they have under the hood, might be barstidized Linux I think?
Therefore your Firebox units are able to perform any task, subject only to hardware limitations and the availability of a Linux distribution customised to the hardware and task. Linksys ADSL routers are another example of an appliance running a small Linux distro, except that firmware is available from sources other than the vendor - so you can convert a Linksys from a NAT router into something that looks much more like a firewall.
In practice, any attempt to distinguish between hardware and software firewalls is a largely meaningless exercise. In the context of this thread, the distinction is between dedicated and integrated (i.e. running on the same machine as the application) firewalls. As you have already pointed out, dedicated firewalls typically expose fewer vulnerabilities.
Triffid
appliances
Actually, Nokias run IPSO, a FreeBSD derivate, and it is actually a small pc ;)
Checkpoint itself runs on Solaris, RedHat Linux (supported), SecurePlatform (Hardened redhat based distro from Checkpoint), IPSO and
*cringe* Windows, oh, not to forget Sofaware. In most of those cases, it is hardly considered a software firewall however, as it hooks into the kernel and the tcp/ip stack directly. One good example for how close they are interlinked is fw monitor, a packet capturer from checkpoint that does not need to go into promiscuous mode and adds flags for the firewall chains the packet traverses.The usual difference lies how well the firewall code integrates with the underlying OS. At the end of the day...a hardware firewall is still a firewalling module on an underlying operating system. There is, as such, no difference. Appliances (or hardware firewalls) just have customised, specialised software/hardware.
dc
Yea, if I open the case on my FireBox it's just a PC, but, in looking at the parts, it's not a motherboard I could order from anyone. Even the parts are reasonably high end (I use to design boards a long time ago). The unit (Firebox) is single tasked, and without hardware changes to the unit, it will not do anything other than work as a firewall.
No, I think I'll let it stay plugged, lest I unduly tempt you.
Sorry, but the above URL *reinforces* what I stated. There's severe limitations to hardware firewalls which you can't get around with the limited configuration available. I used FTP as an *example* of where you would want a way to program a firewall, and that the product has a hardcoded exception for that particular case doesn't make it any more configurable -- rather the opposite! That the vendors has thrown in an FTP exception doesn't help when you have a different application that needs a similar approach. Again, the question isn't whether it's supporting FTP, but whether you can
*set up a rule* for it to support FTP. And you can't.And I'm not hawking Linux (in fact, the only mention of Linux in my article was "Linux/BSD") -- I'm trying to debunk the popular belief that hardware appliances are any *better* than a multi-ported box with firewall software. The OS itself is of minor importance here (heck, many of the firewall appliances run Linux, invisibly to the user), as long as it allows for fast enough handling of the routing and actions. Run Unicos for all I care! It's the black box approach that's limiting, not the OS.
I'm using a firewall appliance myself, for cripes sakes, because of the ease of configuration, load balancing / fail over capabilities, and low power usage and noise factors. But I know the limitations (many of which I've listed before, in addition to the above), and would never recommend it as a solution when something better is needed.
No, you haven't mentioned a single firewall appliance that you can configure for active FTP, for example. Keyword being *configure*.
That's usually because of a lack of one of the necessary ingredients listed above - the skills to set it up.
That's per the specs, and good. At least it means that a non-privileged user on the ftp box can't exploit this as easily.
Mostly good. However, there are cases where this isn't the case, especially when an FTP server is load balanced. Better would be to be able to allow if either the embedded MAC or the IP matches, but then again, that wouldn't be foolproof either. FTP really should use a challenge-response token. :-)
Not so good. That means no EPRT support[1], and higher level packet inspection tends to not do too well when packets are fragmented. The latter shouldn't be a problem when the FW device is the only router on a homogenous network, but a VPN client, for example, might encounter problems.
A good thing, but a better thing would be for the user to be able to
*configure* things like that, which is my point :-) [1]: Even when using IPv4, a client might try EPRT first, and fall back to PORT only if the server doesn't grok EPRT.Regards,
Yep. At least partially (PORT supported, but not EPRT). I learn something new every day. If I didn't, life would be boring :-)
Regards,
From the watchguard support site, since I've not had time to setup a test, here's your ACTIVE FTP setup:
Active FTP
In this mode, the FTP server connects to the client on a port specified by the client.
There are a few details about which the Firebox FTP proxy is particularly strict:
So, the Firebox does indeed handle Active FTP with the default rules.
So, I guess you now know of an appliance that supports Active FTP without any changes to the rules.
and if the firmware you updated was a fuller version of linux would it transition from being an appliance to a server?
Only if I could run things like PAN, Apache, KDE, and it could support storage of files and such. As it is the box does not have video, keyboard, or a hard-drive - that makes it an appliance in my world.
Hi,
PIX's run Cisco IOS of course!! And no, it is not bastardized linux. There are other OS's about, specifically for routers/switches/firewalls. Juniper has their own, Crossbeam, Cisco etc etc.
regards dc
Fair enough,
it is actually Cisco PIX Operating System (OS) which is based off of Cisco IOS
Thank you for saying "no" and not providing us with the answer though, that's very helpful ;)
regards
dc
I am not here to act as your tutor.
Really? Then why bother putting a commenting?
According to Cisco Pix OS is a proprietery embedded operating system, so you're right, it's an independant OS. You could have just said that though without getting so snotty about it. If you're not here to share, why bother trolling?
regards dc
No they dont.
greg
Incorrect yet again.
PIX config while having a superficial similarity with IOS is *not* based off of it.
I suggest googling to get the relevant history of how Cisco acquired PIX from Network Translation Inc.
I am not here to act as your tutor.
greg
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.