So, if it's not been tested by some independent authority that has a reputation for providing accurate testing of firewalls and then publishing the reports, what was all of your crap about? If it's not been proven to be a secure firewall device then why are you telling people to use it? Sure calls your recommendations into question.
What's wrong with a firewalll that knows the difference between HTTP and FTP over port 80? What's wrong with a device that knows more than just filtering by port number?
I'm not sure why you keep coming back to WG, I also mentioned PIX, Sonic, Netscreen, and others from time to time.
Since the WG units have already passed a certification process I don't feel any need to read their code, only test then against attacks and exploits in the shop before I push them out to others - and that goes for any firewall appliance.
So, you going to keep recommending an unproved solution that's based on a hack of a NAT Router?
Real firewalls need to do more than just port and address blocking. They actually look at the traffic. They watch the TCP handshake, etc. They look INTO the packets - bogus sequence numbers are dropped, etc.
Better ones actually are layer 7 aware - they look at what is going on at the app layer. Some have "snort like" intrusion detection functionality. Some have anti-virus and anti spyware capability.
He won't like that definition or example - he's stuck on trying to say that the 54g and third-party firmware is a good firewall, but he can't point to any reputable company that's done a review of it to show that it is an accepted/approved/certified combination.
Nothing. Why do you think it has to do that in order to be a firewall?
You keep avoiding the question. Why?
So you know for a fact, not a single line of code has changed since they were last certified? Wow, that's amazing, since the code isn't even available.
Earth to Leythos, are you still with us? Hello? I never recommended the WRT54G. False accusations make you look like an idiot.
Yes, proxy and IDS capabilites are also a good thing. However, firewalls that lack those features are still firewalls. Some people just don't understand that though.
You're too stupid to know what a firewall is, so I don't expect you to remember that I never said any such thing. Lying and false accusations make you look more stupid than ever, if possible.
If all it's doing is routing port traffic without inspecting it, why would you want to use it?
I've not avoided any question - I'm still waiting for someone to post a link to a reputable vendor that's provided firewall testing for the 54g
third-party firmware combination that will state it's passed accepted standards testing as a firewall, and everyone avoids that request.
No more than anyone else does, but, the critical difference is that I know for a fact that the hardware/firmware combination passed certification and that we've not had any users/networks compromised with certified devices. I don't see where the 54g and it's third-party solution ever passed any certification testing, so I don't have any faith in it. Now, re-read this, so you can see the difference: One passed certification, one has no certification (or anything else), that's the difference.
Based on your post I just assumed you were one of the morons posting about it again - so I lumped you in with them. My mistake, sorry.
Yes you have, and you still are. Why? So far you've said it has to be able to inspect and act on the application layer, then you decided it must pass some kind of certification, then you decided it must pass a line-by-line code audit. Any other mysterious requirements you want to throw in?
I have been reading the posts here and to tell the truth you are the stupid one. Leythos is well respected in this newsgroup and he knows what he is talking about and has helped a lot of people including myself. Before you give a negative response to this post I want to see a link posted so we can see the results of the third party firmware testing of the Wrt54G being a true firewall. If you don't post the link or say anything about then we all know who is the stupid one now won't we. Another thing don't bash good people who know what they are talking about.
Dude, I didn't say it must pass a line-by-line audit, I said if it was not certified or other by an approved/reputable company/organization, that we would have to review the code. I didn't even come close to suggesting that we needed to review the code if it had passed certification or other.
Au contraire, skewering a fallacious position is not trolling.
Attempting to conflate anything about the efficacy of watchguard products from a handful of those which are 'certified' is indeed fallacious.
What 'it' are you referring to.
You have been informed of ISCA certified solutions which are based on Netfilter.
You have been informed that Sun ship and support IPFilter on Solaris.
You have been informed that the OpenBSD Packet Filter is part and parcel of what is freely accepted de-facto and and de-jure as the worlds most secure general purpose unix like OS.
Keep trying to infer that the third-party solution based on the 54g hardware is anything other than a test/toy/project until it's been certified and you show how nothing towards it's being proven as a firewall product.
Keep avoiding the truth, keep avoiding facts, 'show me the money' as in a link to some reputable organization that identifies the 54g + third- party firmware as a fully qualified firewall, the testing methods, the results, and then you don't have to keep waving your arms and trying to prove something without any proof.
You need to separate what are good products from fact - the fact is that you don't have a leg to stand on, you only have "speculation".
I haven't mentioned the wrt54g anywhere in the article quoted.
Do keep up at the back dear boy.
I'll remind the poster that I am not the asserting that some form of 'certification' is required before anything can be considered as a firewall.
That is projection on your part.
The facts have been stated repeatedly.
They don't suit you or your propensity to flog Watchguard products.
I'll also remind the poster that his argument has changed repeatedly throughout this thread.
1st it was 'certification'
2nd was 'reputable' companies
3rd was demands to audit the source code.
Attempting to divert the discussion will not change the facts.
You're the one who shot yourself in the foot with this line.
"As it is now, unless we inspect the code, line by line, and then run a battery of tests against the inside and outside interfaces, we don't know if it's a firewall."
You are the one who has 1st claimed that certification is somehow 'required'.
You are the one who has repeatedly ignored the fact that the ICSA have certified firewalling solutions based on netfilter.
You are the one who has repeatedly ignored the fact that Sun ship and support IPFilter with solaris.
You are the one who is trying to claim that the OpenBSD packet filter somehow is not a firewall.
You are the one who cannot address a single point in
formatting link
Attempting to split hairs will not change the google record.
As with the rest of the wibble you've posted of late, that sentence doesn't make sense.
Now do yourself a favour and retire while you have a modicum of grace left.
But, and you can't deny this, you keep butting in about BSD and IPFilter in a thread about the 54g where the group is talking about the merits of the 54g and some third-party firmware as being a quality firewall device.
Also in this thread, there has been nothing to prove that the third- party firmware is a reliable firewall system when combined with the 54g
- which is what this thread is about.
If you've missed it, the thread is about the 54g and it being a firewall and includes talk about third-party firmware of the 54g - are you starting to see it now.
I'll remind everyone that until it's been proven to be a firewall by some independent authority on the matter as accepted by the community, that it's not a firewall either. It's a project or a kludge or a test or some other measure, but it's not certified so we don't know if it even passes simple filtering testing.
No, they have not - there are no facts about the 54g and the third-party firmware that conclusively indicate that it's a certified firewall. Without some form of certification and without some independent testing and reporting by a reputable company, it's just a project.
1 and 2 are part of the same, but I don't expect someone like you to understand that.
I didn't ask that it be audited, again you show that you don't know what you're talking about.
What facts? You've not provided any facts that indicate that the combination of the 54g and the third-party firmware is an acceptable firewall solution - no certifications, no independent review with testing methods/results, nada.
In case you forget, this thread is about the 54g and the firmware and if it's a firewall appliance.
Yep, sure did. I said that. I stand by it - without any certification to state it's a firewall, without any independent testing by a reputable company, without any proof that the combination is a true/quality firewall, the only thing we have left is to the the evaluation on our own.
Certification and/or independent review with posted testing/results. Why would anyone want less?
And none of those certifications apply the 54g and third-party firmware combination that this thread is about. NOTHING in the certification you mention has anything to do with the 54g and third-party firmware.
And they don't have any statement on their site standing behind the 54g and the third-party firmware as being a reliable/proven firewall combination. They don't mention it anywhere (and I searched), so, got any more diversionary tales?
I've never claimed that BSD and IPFilter is not a firewall, I've said that unless the installation is certified/tested, that there is no way of knowing if it was setup properly as a firewall, if it's acting as a firewall, as a matter of fact, there is no way of knowing what it's doing. Just because one loads BSD on a box, then installs IPFilter, it doesn't make it a firewall.
formatting link
You post a reply about my questioning the 54g and it's third-party firmware, a combination that's not been certified/tested by any reputable company with published test conditions/results and about someone that says "it's running the same net filter code as....". And you also question my statement about if it's not certified/reviewed then we would need to review the code to determine what it's actually doing... What the heck are you missing in that paranoid brain of yours? Just because it's running some code that someone thinks is the "exact same" as some other device in some other appliance, etc.. doesn't mean a hill of beans.
What a doofus you are - I have only stated that without certification and/or testing by a reputable company, that there is no means (short of self testing) to know if the device/firmware combination is a firewall.
Neither will your complete lack of understanding in the subject area of Firewalls or security.
I don't expect logic to make any sense to you - you can't seem to understand that just because someone calls an appliance running some software a firewall, that it's not necessarily a firewall, it could be a microwave oven.
If you go back and look at your post, it's clear to me that you don't have even the slightest grasp on this thread or what it's about. That you don't understand what a firewall is, that you don't understand testing or certification methods, and that you can't separate a test/project from the real thing.
If you come down off your pony and listen for a second you might understand something - you can call the combination anything you want, but until it's been tested and proven by some independent and reputable company, it's just someone's idea of what a firewall should be, nothing more.
This thread *started* on that subject, but has long since drifted to be primarily a discussion of your biases and the foolish statements you make attempting to support them. It has very little technical value, but is certainly good for grins and giggles.
And of course the only acceptably "independent authority" is the one that certifies your choice of biases, and everything else is all of that derogatory verbosity. Tsch tsch... just, it ain't true!
Like a lot of things you say, that isn't true.
If looking at it line by line isn't auditing the source code, what do you want to call it?
...
...
Quoted right there, followed by admission that you said it and meant it. You can't even get it straight within one article, never mind between articles as the thread moves on.
It reflects on many statements you've made about just what is a "real" firewall, and what is not. You've claimed that many of the *best* firewalls are not "real firewalls".
But we clearly do know that the very same software, when certification is *paid**for*, passes.
You have done that on many occasions, including in this very article. But you don't seem to understand the significance of your statements.
Hilarious. OpenBSD is widely accepted, whether it is certified or not, as *the* most secure system available.
Personally, I think certification by a reputable company is indeed useful. It is also not the most reliable measure, nor anything like the best or the only measure. It is *not* an absolute requirement.
I rather believe that the Open Source paradigm is in itself the best selector of reliable safe software. The reputation of IPtables and IPFilter (Linux and OpenBSD) in the world of Open Software is probably the highest possible recommendation possible for a firewall.
It means a *lot* more than Watchguard paying a subscription to ICSA to get a product certified.
Clearly people who disagree with you are not totally lacking in that subject area. Moreover they seem to have a significantly better *perspective* on computing and security as a whole, which is why they don't have to rely on "certification" as a go/no-go indicator the way you do.
Obviously a bit of projection. He did understand, you didn't... as you very handily showed in this article.
Broad, sweeping, statements... which are clearly untrue, do not make your case no matter how often or boldly you make them. All that does is make it *clear* that you cannot keep these topics in perspective, and run away with ego protection mechanisms every time someone disagrees with you.
Quelle surprise, yet again, our friend is trying to divert the discussion away from the fact that *you* have made a complete ass of yourself by claiming that industry standard packet filtering software which isn't ISCA certified cannot be a firewall.
You should just let it go. Floyd Firewall carriers no weight and is bordering on being some kind of a lunatic/troll and he will start going off the deep-end on you if you engage him too much.
Out of your entire post, this is the only part that is really worth responding to. While a properly setup BSD box with IPFilter qualifies as a firewall, there is no way to know if the solution passes as a firewall solution without testing it. If a specific configuration is certified or tested against, then the testing method and results posted, we as users can be certain that the specific solution passes the specific tests that may or may not apply to us.
Open source, while a great idea, does not indicate any reliability or measure of quality or even any sense of security - it seems that you've failed to see all of the updates for Linux and it's variants, for the open source mail servers and other services....
Having a solution based on Open Source development is no more a recommendation than is one from Apple or Microsoft - until it's been proven it's just a test/project/toy.
If you had ever seen my before this, you would know that I post using XNA almost all of the time. In fact until I loaded this station it was the default for all of my Usenet clients.
If you really think that XNA hide my posts you have a lot to learn.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.