firewall survey

Pete Nesbitt pete at linux1.ca
Fri Nov 26 03:20:09 UTC 2004 

Hi,
see inserted replies....

On November 25, 2004 01:00 pm, Dana Holland wrote:
> Although this isn't entirely on topic for this list, I thought this
> would be an excellent group to ask...
>
> As our college prepares for reaccreditation, we're starting to evaluate
> some of our internal processes.  I'm trying to compare what we do with
> others when it comes to technology, so I've designed a little survey
> dedicated to just one decision-making process you might have to go
> through.  If you have time to answer these questions, it would be very
> much appreciated.
>
> 1.  Does your institution/organization use a firewall at the enterprise
> level (institution-wide)?

a) at work we use an ACL on  a cisco router with firewalls on local servers 
b) at home (just as serious/important) I use a dedicated linux box for a fw.

>
> 2.  Do you use a commercial product or a self-built product?

The fw's used on servers at work are all IPtables (more correctly NetFilter & 
IPtables) for Linux, and for Solaris we use ...can't remember the name but it 
is similar OSS (non-commecial). I use home grown scripts to manage iptables. 

Same for home (but pure linux:-)

>
> 3.  Is your firewall considered to be a hardware appliance or a software
> solution?

a) at work, of course the cisco routers are hardware (running software:)
   -the IPtables on a server (or workstation) is a software solution.

b) my home firewall is a software solution (IPtables on Linux). Although, as 
it is a dedicated headless box with little other functionality,  it could be 
considered an appliance. 

>
> 4.  Related to question 3, do you feel that one is better than the
> other?  Why or why not?

There may be speed advantages to hardware solutions that are based on a ASIC 
(application specific integrated circuit) as they have little overhead. 
However, using a barebones linux box you can get very good performance and 
any loss is easily offset in the granularity and flexability of a software 
solution. Also, from a security aspect, sometimes vendors of proprietary 
solutions are not as forth coming as they could be when it comes to reporting 
vulnerabilities.

>
> 5.  What factors are involved in your decision to choose a firewall?

Most important is reliability and ability to maintain it. Not necessarily ease 
of maintenance but understanding the underlying process so you can 
troubleshoot and react to (planned or imposed) changes.

>
> 6.  Do you have a formal management process for evaluating a firewall?
> If so, would you be willing to share it?

We don't have a formal process. 

Typically, it is the configuration that you are concerned with (plus stable & 
fast), so any scans or penetration testing would really be checking the rules 
(not the FW persay) unless there is a unpatched vulnerability in the fw.

>
> 7.  Obviously, cost and personnel experience are major factors when
> choosing a firewall?  Are there other factors that are just as important?

Experience and solid understanding of the how to write, maintain and review 
firewall rules is extremely important. You must be able to say for sure if 
the fw is blocking a broken service as that is the usual first suspect. You 
need to know with certainty because you  can't be stopping the firewall just 
to prove it isn't the problem. (fyi, i find tcpwrappers is often overlooked 
when sorting out connectivity of a new service).

I think cost should be a consideration in respect to the ability to buy a 
firewall (or train/outsource), however, remember what your looking for, 
protection not savings! I preffer IPtables, despite the free price tag, 
simply because it is simple to add/remove/alter rules as needed, is well 
maintained, and has plenty of community support. I do not encourage the use 
of the front-ends that restrict the granularity or creation of custom rules, 
hinder a learning of the process of IPtables for new users, or that create 
there own non-standard config files. If a front-end exists that simply 
creates/inserts an iptables command line entry, that would be a good tool. 
One of the best things about IPtables is you can create and run your own 
script with lots of comments and custom rules, include keywords for grepping 
log entries, and react to emergencies very quickly.

Given that the cost is ok and that you have ample experience on staff, then 
the single most important aspect would probably be flexability. Meaning the 
ability to create custom rules in very little time, with  minimal impact on 
the network.  Actually although that is a single factor, it is determined by 
both the firewall and the admins experience.

I worked one place and they had to reboot the firewall box in order to 
impliment new rules. That may have been either the fw, the os or the admin 
that caused this requirement, but I think either way it was unaceptable.

You may also be looking for more than a fw, and may be concerned with 
email/spam filtering, vpn connections, etc.

>
> Thanks in advance for your help.
> --
> ************************************************************
> Dana Holland    dana.holland at navarrocollege.edu 903-875-7355
> Navarro College    Corsicana, TX
> http://www.navarrocollege.edu/staff_pages/dana/dana.html
> ************************************************************
> All opinions stated are my own, and probably don't even
> vaguely resemble those of Navarro College.  :)


Hope that helps.
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list