I am being told that because the WRT54G Linksys NAT router uses NAT, IPtables, SPI and proxies it is now considered to be a FW appliance like a Watchguard.
I'll give it to the WRT54G that it fits the category of a packet filtering FW router, unlike the other Linksys products that I have seen and used but I am being told otherwise.
Anyone have any comments on this I would appreciate it?
Duane :)
When it can tell the difference between HTTP and anything else on port
80, and that's not going to happen anytime soon, it will be a firewall.
Thanks
You would not believe what I am going through in a wireless NG about a 54G and a WG. :)
Duane :)
Wrong. You're confusing a proxy with a firewall. Some firewalls have proxies, but a proxy just isn't a firewall by itself.
I've heard about those hacks, and if it does what you said, it sounds a lot like a Watchguard setup. I've been meaning to investigate it further for quite a while now...
Yea, I would - it's the same as the people that think that because a Marketing document calls a device a firewall, when it was formally called a router, and with no changes - except to the document, it's now called a firewall.....
Many people think that Linux is secure, that Unix is secure, that a MAC OS/x system is secure, that because they use the DMZ IP on their router that they are secure, etc....
I don't argue with people much any more, I just let them know that the devices have some nice features and make a nice barrier for a home user or a small startup business or a non-profit group that can't afford a real firewall, but I explain that they are clearly not firewalls, but have "firewall LIKE" features. SPI does not make the device a firewall.
There was a lot more to the thread than just the part that you snipped.
If you've ever taken the time to follow my posts on this subject, your stating that a "a proxy just isn't a firewall" is redundant.
My complaint is that I've yet to find a simple NAT device that claims to be a firewall that is really a firewall - while they have some nice marketing hype, they are often not even close to being a firewall, some can't handle any load inbound, some can't handle more than 40 outbound connections without resetting, etc....
.... more simplistic /non/-/sequiturs/ doesn't make it valid.
Point in fact: OpenBSD is widely reputed to be the most secure system commonly available.
1) No system using it is certified by your "reputable" certification agency. 2) OpenBSD itself is not certified by your "reputable" certification agency.From that we can draw two obvious conclusions:
1) Lack of said certification means nothing. 2) Your logic is invalid.More verbosely, that means you *can* use ICSA certification to suggest that a particular certified device is probably suitable; but you *cannot* say with any validity that a non-certified device is therefore unsuitable (which is what you have stated).
Regardless, none of this applies to the OP's original question, which had *nothing* to do with some technical level of quality for a firewall. He asked if Linksys equipment is any different than the Watchguard devices marketed as "FW appliances". The answer is that there is no difference. Several of the Watchguard devices (which are not ICSA certified either) that are marketed as "FW appliances" have virtually identical or lesser capabilities than the Linksys device specified.
By *any reasonable* definition they are all firewalls. Whether they are top of the line, fully featured, or the most secure, is of course neither here nor there in regard to the OP's question.
What the OP has been falsely claiming, and you and at least one other person seem to being supporting, is that because the
*high* *end* Watchguard devices are high quality the low end devices are therefore acceptable by default; and then you do not extend the same bypass to Cisco's low end devices apparently because they use the Linksys brand name.The fact is... the WRT54G is a better firewall than the equivalent Watchguard devices, and comes at a significantly lower cost too. They are *both* suitable for many or most SOHO needs, and neither are suitable for any network that requires the best firewall technology available.
Send me a link to where it's passed any certification as a firewall.
If it's running the excellent sveasoft firmware, I would consider it to be such.
greg
Out of the box firmware has *exactly* the same features as those mentioned above. Sveasoft firmware adds other features, and provides significant flexibility in *configuration* of those features.
(And this has all been explained to you previously *in detail*, in a thread on alt.internet.wireless.)
Are you referring to the 3 categories [res, smb, corp] of ICSA labs 4.1 firewall certification or something else, ie some other certification?
I guess I'm asking -- 'does certification as a firewall = ICSA labs 4.1 certification as any category above, or does certification as a firewall mean something else?'
In general, if it has an ICSA Certification of 4.0 or now, 4.1, and it carries a valid cert from them, then it's a firewall without question:
When I was trying the link I get this respond:
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/html/icsa/common/sql/productfield.inc:48) in /usr/local/www/html/icsa/common/common.inc on line 4
Is there some ather links that I can try insted?
Regards Andersajja.
I used googleweb for the site icsalabs.com on product.php and then I 'adjusted' toward firewall from the antivirus section where I landed and got
Yea, I got it too, don't you just hate sites that you can't cut/paste the URL from:
Which has *what* to do with the price of fish ?
Try persuading me that the OpenBSD packet filter
Better still please tell the audience why IPFilter
which runs on over half a dozen platforms and is shipped and supported by Sun as standard on Solaris, is lacking in the firewall dept just because it lacks thinly disguised marketing bollocks called 'certification'.
I refrain from recommending products purely on the basis of a tickbox marked 'certification'.
If you had spent five minutes figuring out how and why Sveasoft manages to convert a so so broadband router into a truly useful firewalling
*appliance*,Then you wouldn't have asked such a profoundly daft question.
Alchemy includes many feature additions over the Linksys standard firmware including:
Hotspot portal PPTP VPN server Two-way bandwidth management (includes P2P, VoIP, IM) SSH client and server Telnet Startup, firewall, and shutdown scripts WDS repeater mode Client mode (support multiple attached devices) Adhoc mode OSPF routing RIP2 routing Power boost to 251 mw Antenna select Static DHCP address assignments Additional DDNS support Wireless MAC address clone VLAN support (hardware only) WPA over WDS WPA/TKIP with AES Client mode WPA Client isolation mode P2P blocking/bandwidth management (Gnutella, Kazaa, etc) Port triggering Wake-On-Lan Remote syslog Remote Ntop statistics SNMP Safe backup and restore Reset on firmware upgrade Status includes system uptime and load average Status for wireless clients and WDS Site survey Remote NTP server support Supports new WRT54G V2.2 and WRT54GS V1.1 models
greg
If it's not been certified then how do you know it's really a firewall with REAL ability to protect? If there are no certifications, then what do you really know about the product?
If there is a standard acceptable level of protection, that seems to be accepted by the security community, then what other means of validation would you use?
Are you suggesting that all government agencies and corporate entities should be able to use IPFilter to reliably protect their LAN/DMZ areas because you say it's good enough?
Sure I would, as I don't see any certifying agency that claims it's secure. I could push anything out there and "say" it's a firewall too, but until it's been tested against the industry standards and passed, there is no valid way to know just how good it is.
Maybe daft is believing that you don't need third-party validation of something that protects your home/business/corporation.
[snipped list of features]When it's been tested by a certifying agency and passes, then it's a firewall, until that time we/you can hope that it's a firewall.
Thanks. Andersajja
If you need to ask that question, you really shouldnt be working as an IT security professional.
Certification tells you SFA about any product or individual.
There isn't. RTFSP on all ICSA reports.
A non sequitur. 'I' am not saying anything about it's utility. 'I' am pointing out the fallacy in your argument.
'I', have built secure environments for customers using all of the above and some, because 'I' personally have taken the products in question and tested them to such an extent that 'I' personally was satisfied with their fitness for purpose.
Putting any security product into a customer site purely on the say so of some untrusted third party is profoundly irresponsible.
Which has *what* to do with installing *anything* for ones customers.
You have personally tested everything you sell just to confirm that it does exactly what it says on the tin ?
You are aware that marketing BS in no way reflects the real world capabilities of any product ?
You are aware of the dictum 'process not product' ?
Uninformed nonsense.
Will this '3rd party' indemnify me and/or my customers if their testing and/or methodology is found wanting.
Who will my customers blame, if I install any product purely on the basis of some 'third party validation' (to which I had no input) which was found wanting in either performance or fitness for purpose ?
No it damn well isn't. Read the small print.
ROTFL! When was the last time you did a penetration test.
greg
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.