[TriLUG] Firewalls

Jason Tower jason at cerient.net
Mon Jul 10 18:04:20 EDT 2006 

i had the unfortunately displeasure to deal with a late-model sonicwall. 
what an incredible piece of shit.  the web interface was slow beyond slow, 
it would have to speed up in order to stop.  hugely unintuitive, cumbersome, 
i could never be sure if the rules i was setting up were even going to work. 
  a task that would have taken me half an hour with openbsd/pf instead took 
nearly five hours.

"fourth generation" is pure marketing bull.  if you want a firewall, build a 
good firewall - there are lots of options.  if you want content filtering, 
install a proxy server.  if you want antivirus/antispam, do it on your mail 
server (or a gateway).  putting all of your eggs in sonicwall's basket is 
most certainly not how i'd set things up.

but that's all irrelevant.  if your boss or decision maker is going to be 
impressed by a slick-talking salesman (or even a techie who couldn't build a 
firewall from scratch if their life depended on it) over the recommendation 
of his own sysadmin, then you're probably screwed no matter what i or anyone 
else on this list is likely to say.

nevertheless, best of luck, and let us know how it turns out.

jason

Lee Fickenscher wrote:
> I just received an "audit" report that I'm supposed to discuss at a  
> meeting tomorrow. Part of that report covers my firewall. The current  
> firewall is OpenBSD 3.5 (yes, a bit out of date). My question regards  
> the wording of the report. It talks about "generations" of firewalls  
> (first gen, second gen...) I've never heard of the term generations  
> used to discuss firewalls. Has anyone heard of this term used with  
> firewalls?
> 
> While the auditor might have been general competent, and certainly  was 
> more knowledgeable about Windows than I am, I don't feel that he  is 
> really up on security. He recommends replacing my box with a  Sonicwall 
> unit, which, if I understand correctly, is just a dedicated  Linux box. 
> I don't see how that gains me much more than a pretty  interface. His 
> company is most likely a Sonicwall reseller, but I  don't think he is 
> even aware what the Sonicwall runs under the covers.
> 
> Pertinent text follows verbatim:
> 
> "Your current Firewall is a PC running a version of OpenBSD (Unix).  
> This solution is a Firewall but it has only the most basic Firewall  
> capabilities of NAT and port blocking. This type of Firewall was  
> current technology found several years ago in first generation  
> Firewalls. Current Firewall technology is its Fourth generation and  
> includes such features as Antivirus, Anti-Spyware, Content Filtering,  
> and Intrusion Prevention. The idea is that the more stuff you block  at 
> the perimeter the better your whole network will perform. The  Sonicwall 
> solution we are proposing also has the ability to do both  software and 
> hardware VPN if at a future date you wish to implement  secure Internet 
> connections from remote sites."
> 
> Any input is appreciated (preferably constructive) particularly from  
> any of the security experts out there.
> 
> Thanks,
> Lee

More information about the TriLUG mailing list