Wrt54G is a FW appliance?

Let me explain this one more time, read it slowly:

Just because someone comes out with new firmware for a NAT Router, that does not make it a firewall no matter how many "features" the say they have added - at the same time, it does not mean it's not a firewall. The problem is that unless it's been tested and inspected by some reputable company/organization, there just isn't any way to have a basis for its acceptance as a firewall. Notice I said tested and reputable in the same sentence.

As for secure networks and testing, I design secure networks for a living, and I've been at it for a long time - we've never had a single compromised customer in our history and I've never had a compromised network as long as I've been around. I don't install unproven technology, don't believe in marketing hype, don't believe certification proves that something is perfect, but, I will start with certified products as a basis for consideration over non-certified products, then test them in our shop, test then in the field, and if they pass all of our tests, then I will test them with select customers and then finally will start using them in customer solutions on a regular basis.

Now, before you get your dander up, I have nothing against the new firmware or the NAT routers used in Home solutions, in fact, for home users I always recommend a NAT solution as the first barrier device in their protection. At the same time, I don't believe something is a firewall just because I've read it on Usenet/Web/Print, and I almost never believe marketing speak, and I trust my ability to test and confirm a secure solution.

You seem to be asking me, and all of us, to believe that something is a quality firewall without any certification - and I don't know many people that are willing to risk their business reputations on unproven solutions without independent confirmation.

You're wrong, I've been to the forum, been to their site, looked at what they say and what others say, but I still don't see any official independent testing authority that states it's certified or passes all XYZ tests.

You seem blind for some reason, I said, now again, that I don't make claims as to what it is or isn't, only that I've not seen any independent certification authority that's tested it and no other organization that states it's a firewall that's passed any standardized testing.

I have a lot of first hand experience and knowledge about the devices asked about - but my searching about the 54g and it's firmware still does not find any reputable authority that's tested it and published the results.

WFT are you talking about - I don't make an assertions, you are, you seem to want everyone to believe that the 54g with third-party firmware is a secure firewall appliance, but you offer no reputable verification of it's testing.

I have already said, certification or other independent agency/organization, but you keep missing it and keep calling it back- pedaling - but I see that you still can't provide any validation for the product.

And you continue to expect people to believe that because some third- party firmware is loaded into a router and claims to be secure, with no reputable verification, that it's a firewall that everyone should trust? Ha!

Here is the only thing you need to remember/take away from this discussion - you are proposing that people believe in an uncertified and unverified (by independent company/organization) product because you say so. You offer no proof that the third-party firmware for the router is a reliable firewall product that's PROVEN by some group, agency, certification authority, to back up your claims.

Greg Hennessy wrote in news: snipped-for-privacy@4ax.com:

So the out of the box firmware you would just consider it to be packet filter FW? Duane :)

The fact is that I don't have anything that proves the WRT54G is a better firewall or even a firewall, other than unproven statements. When it comes out as being a firewall that should be trusted as documented from a reliable/reputable source, then I'll consider it as something that is worth using/installing.

It's not about if it's a firewall or not, it's about having some reputable company say that it is and provide testing results that indicate it is.

What you and Greg fail to see is that I don't have a problem with it being a firewall, don't dispute that it may indeed be a firewall, but I don't see certifications or statements from industry reputable companies/organizations stating that it's been fully tested and meets all the requirements - and neither of you have shown this to be false.

As I said before, show me where it's been tested by some reputable company/organization, with links to the testing process and results, and I've believe it's a firewall. Until that time it's just lip service.

Oh, to make it clear, we don't sell any products, don't sell Watchguard, we install most of the large players devices, and are happy with most vendors products for their designed functions - including NAT in the cheap linksys units and other vendors similar products for home users.

Don't read into what I typed, show me links to reputable testing results or to a certification and I'll consider the firmware to have provided true firewall functionality, until I can read independent test results I see no reason to trust the assertions you and Greg make about the 54g.

Oh yes it does if one can install a stateful filtering policy on it which passes penetration testing and meets audit requirements for both the client and the vendor.

A Cisco router with a firewall feature set is a firewall.

A 1U rack server running

is a firewall.

A Linksys WRT54G/GS running iptables (spit) with stateful connection tracking is a firewall.

It's running the exact same netfilter code as

etc etc etc.

Those are the facts.

You're now attempting to move the goalposts from 'certification' to 'tested and inspected' by some allegedly reputable company/organisation.

Oh puhleeze, enough with the ex post facto back pedal already.

Back in the real world, PF, IPFilter and IPTables (spit) based firewalling solutions are used to protect networks globally.

Some of us do have customers who require high packet rate gig-e solutions, but cannot afford the arm an a leg Crisco would charge them for a 535 + annual maint.

Some of us do have customers with stringent audit and logging requirements to comply with double 7 double 9.

IT security professionals with even a modicum of clue, are aware of the capabilities of all mainstream stateful packet filtering software, not just that which comes with a pretty ICSA labs sticker + price tag.

You have absolutely no idea what's running inside a wrt54G/GS now do you, be a man, admit it.

You don't appear to realise that the GS model has for example, hardware vlan tagging on its 4 port switch.

Functionality which Sveasoft makes available to the end user.

You appear to have no notion that, that little 70 buck box can statefully packet filter between all 5 fast-e interfaces at pretty close to wire speed as a consequence.

You don't appear to appreciate the appeal of having something cheap and cheerful which can sit in the big bad world providing enterprise WPA courtesy of inbuilt radius/1x support.

Something which can take of itself and provide tunnel endpoints at a price point significantly cheaper than VPN concentrator.

A daft hair splitting non sequitur.

1st you claim that it couldn't possibly be a firewall without some form of 'certification'.

When I point out that Sun are shipping *and* supporting IPFilter on Solaris

9 and 10, you try and change tack from that ridiculous position to that of 'tested and inspected' (sic) by a reputable company.

Now you're back to certification nonsense again.

Give it up already,

IPFilter has been securing networks globally for a decade.

OpenBSD by implication its packet filter have been the recipients of DARPA funding.

The notion that either are 'unproven solutions' is laughable nonsense.

If you want to make a living selling ICSA 'certified' chocolate Fireguards , by all means do so.

However that doesn't make them some how better as a solution for customers.

Security is a process *not* products.

greg

Quite.

greg

I quoted the relevant part. What you were referring to is completely irrelevant. You posted an incorrect claim and I called you on it.

I've seen more than enough of your false firewall definitions. Your inability to grasp the definition of a simple firewall makes any statements you make in this group appear suspect at best. You have to remember that there are a lot of people who read this group and rely on the information and advice you give.

Since you apparently don't even know what a simple firewall is, maybe you should reconsider handing out advice/information until you're a bit more familiar with the subject of this newsgroup. Or, as an alternative (based on your previous advice/information) you could create your own group called: "comp.security.firewalls.buy-watchguard-because-iptables-isnt-a-firewall".

Maybe you should cut to the chase and post your definition of a simple firewall. You know, something that if it meets that minimum criteria it would be considered a true firewall.

No, I didn't post anything incorrectly, you just didn't like what I posted. If the product had been certified it "would" be a firewall. As it is now, unless we inspect the code, line by line, and then run a battery of tests against the inside and outside interfaces, we don't know if it's a firewall.

Simple Firewall? There is no such thing as a simple firewall - It is either a firewall or it isn't a firewall, there is no middle. Sure, some firewalls have lots of extra features when compared to other vendors/cheaper units, but the definition of a firewall remains the same.

Maybe you could also stop giving advice about a product that has no reputable company espousing it's virtues and no reputable source of documented testing to back up your claims?

I've claimed many times that I will pick watchguard when I get a chance, I use several of their products in my business and home and with many clients, but I also use other vendors products and have no problems with any of them - and they seem to not have any problem providing certified testing results to prove their protection claims.

Maybe you should stop the diversionary tactics and post a link to a reputable company's/organizations full review and testing methods/results of the third-party 54g solution? I've brought it up in almost every post, where's the proof by some reputable company?

The box, as an entire unit, needs to be tested by some independent authority, results posted and verified, then it will have community support as a quality product - until that time, it's just a project to develop a firewall appliance. You don't really expect a Medical center to install a 54g with unconfirmed firmware as a firewall based on some unconfirmed posts on a web or Usenet group, do you?

So, drop all the other comments, all your failing to answer the one important question each time and post a link to a reputable company or organization that has specifically reviewed the 54g running the third-party firmware and shows their testing methods and results.

You're either trolling, or you're too stupid to look up a few inches to see what you actually wrote. It's right there. Go ahead, look! Now, where did you say anything about "certification"? That's right, you didn't.

BTW, by your definition, the SOHO line of Watchguards aren't firewalls. Personally, I think they are, too bad you don't.

I bet you wish you never wrote that. You realize what you just did, don't you? Besides making yourself look like a drooling idiot, you just proclaimed that every single "firewall" (read Watchguard) you've ever sold or installed isn't really a firewall. That single sentence, all by itself, completely destroys any shred of credibility you thought you might have. I don't think I need to spell out why, but I'll be happy to, if need be.

Do you even read what you write?

And that definition continues to evade you.

Ummmm...what advice? I don't remember giving any advice on the WRT54G.

Actually, they did have trouble getting certified, and only the corporate line is certified.

The more you evade giving your definition of a firewall, the worse you look.

You just don't get it, do you?

Quit posturing and answer the the most basic question this newsgroup has ever had.

I was going to say something, but it felt too much like shooting fish in a barrel.

greg

And neither are the Watchguard models that have been compared to it. Other than costing a great deal more and having fewer features, they aren't really any different.

I find that to be an amazing statement, given the other things you have said! You are aware that none of the Watchguard wireless units have ever been certified either, right? And that none of the ones cited as comparable (meaning they only cost 4 times as much) have been certified.

And now that the WRT54G has been around for a couple years or so, tell us just how many reports of security problems have shown up? And how many is that compared to Watchguard's certified units???

:-)

You can't provide any for the Watchguard Firefox SOHO 6 units that have been compared to it either.

Or do you actually expect home users to spend a few grand for a certified high end firewall?

So where are the reports of how poorly it performs? In fact it uses the *same* Linux firewall that is used in several certified models. Is the same true of all the Watchguard units???? Or only of those Watchguard units using Linux?

Actually, the thing anyone will likely take away from this discussion is that you are not being logical or practical either one. I have no idea what is driving your comments, but they are irrational.

Well, you know none of my computers are certified to C2 security either. Are yours? If not, why not? How can you possibly sleep at night knowing you have equipment that is uncertified and unverified by someone to meet the necessary standards for a secure computer system?

My bet is that your DSL or Cable modem is not certified either (except by UL or Consumer's Union to not be either a fire hazard or likely to electrocute you).

Did you get independent certification for the CPU in your computers? How do you know they *really* can do IEEE math without errors????

I'll say it again, since you keep avoiding it - post a link from a reputable company that has tested the third-party firewall firmware for the 54g and certifies it as an approved firewall appliance.

It's quite simple, and you two seem to be trolling a lot - if you can't post a link to a reputable company that certifies it as a firewall then it's still just a test project or a hope-to-be firewall solution.

In all you've said, you've just done the same as you have in every other post you've made - you've avoided showing any reputable review of the firmware/appliance combination that states it passed accepted testing methods.

You seem to know that you've lost your position as you keep bringing in things that have nothing to do with it being approved/certified by any reputable company/organization.

Certification of the SOHO6 wireless is pending

As is the SOHO 6 non-wireless unit.

As are two ICSA certifications for the low end wireless X series:

And if you want an easy to read table - all of the firebox line was certified at one point as a firewall:

Now, again, I don't care about WatchGuard, Sonic, Netscreen, etc.... Show is where the third-party firmware and the 54g combination have been tested and certified by any reputable authority as being a firewall.

Just like all of the Watchguard boxes that have been recommended...

Nope, not like them at all - all of the WG units have passed at least level 3 and many level 4 testing, the ones that are shown on WG's site are currently in process for certification under the new standard.

Stop trying to divert from the issue of 54g not being tested/certified, you're starting to look like a school-age kids and troll.

Again, you divert from the answer by avoiding answering the question: Where has the 54g combined with the third-party firmware been tested by a reputable company and the results published?

Ok, I don't know of any links that "certifies it as an approved firewall appliance" by a "reputable company that has tested the third-party firewall firmware for the 54g".

Now, let's move on to something that is actually relevant, like why you claimed it would only be a firewall if could tell real HTTP traffic from bogus traffic on port 80. Inquiring minds want to know.

Just what are your minimum basic requirements for a firewall? They seem to be rather vague at best and ever-changing. A common theme seems to suggest that if it doesn't stack up to a Watchguard it isn't a real firewall.

Oh yeah, how's that line-by-line code audit on your Watchguard going?

Stick it FF when I post to you, you'll know it. ;-)

Duane :)