Hi, see inserted replies.... On November 25, 2004 01:00 pm, Dana Holland wrote: > Although this isn't entirely on topic for this list, I thought this > would be an excellent group to ask... > > As our college prepares for reaccreditation, we're starting to evaluate > some of our internal processes. I'm trying to compare what we do with > others when it comes to technology, so I've designed a little survey > dedicated to just one decision-making process you might have to go > through. If you have time to answer these questions, it would be very > much appreciated. > > 1. Does your institution/organization use a firewall at the enterprise > level (institution-wide)? a) at work we use an ACL on a cisco router with firewalls on local servers b) at home (just as serious/important) I use a dedicated linux box for a fw. > > 2. Do you use a commercial product or a self-built product? The fw's used on servers at work are all IPtables (more correctly NetFilter & IPtables) for Linux, and for Solaris we use ...can't remember the name but it is similar OSS (non-commecial). I use home grown scripts to manage iptables. Same for home (but pure linux:-) > > 3. Is your firewall considered to be a hardware appliance or a software > solution? a) at work, of course the cisco routers are hardware (running software:) -the IPtables on a server (or workstation) is a software solution. b) my home firewall is a software solution (IPtables on Linux). Although, as it is a dedicated headless box with little other functionality, it could be considered an appliance. > > 4. Related to question 3, do you feel that one is better than the > other? Why or why not? There may be speed advantages to hardware solutions that are based on a ASIC (application specific integrated circuit) as they have little overhead. However, using a barebones linux box you can get very good performance and any loss is easily offset in the granularity and flexability of a software solution. Also, from a security aspect, sometimes vendors of proprietary solutions are not as forth coming as they could be when it comes to reporting vulnerabilities. > > 5. What factors are involved in your decision to choose a firewall? Most important is reliability and ability to maintain it. Not necessarily ease of maintenance but understanding the underlying process so you can troubleshoot and react to (planned or imposed) changes. > > 6. Do you have a formal management process for evaluating a firewall? > If so, would you be willing to share it? We don't have a formal process. Typically, it is the configuration that you are concerned with (plus stable & fast), so any scans or penetration testing would really be checking the rules (not the FW persay) unless there is a unpatched vulnerability in the fw. > > 7. Obviously, cost and personnel experience are major factors when > choosing a firewall? Are there other factors that are just as important? Experience and solid understanding of the how to write, maintain and review firewall rules is extremely important. You must be able to say for sure if the fw is blocking a broken service as that is the usual first suspect. You need to know with certainty because you can't be stopping the firewall just to prove it isn't the problem. (fyi, i find tcpwrappers is often overlooked when sorting out connectivity of a new service). I think cost should be a consideration in respect to the ability to buy a firewall (or train/outsource), however, remember what your looking for, protection not savings! I preffer IPtables, despite the free price tag, simply because it is simple to add/remove/alter rules as needed, is well maintained, and has plenty of community support. I do not encourage the use of the front-ends that restrict the granularity or creation of custom rules, hinder a learning of the process of IPtables for new users, or that create there own non-standard config files. If a front-end exists that simply creates/inserts an iptables command line entry, that would be a good tool. One of the best things about IPtables is you can create and run your own script with lots of comments and custom rules, include keywords for grepping log entries, and react to emergencies very quickly. Given that the cost is ok and that you have ample experience on staff, then the single most important aspect would probably be flexability. Meaning the ability to create custom rules in very little time, with minimal impact on the network. Actually although that is a single factor, it is determined by both the firewall and the admins experience. I worked one place and they had to reboot the firewall box in order to impliment new rules. That may have been either the fw, the os or the admin that caused this requirement, but I think either way it was unaceptable. You may also be looking for more than a fw, and may be concerned with email/spam filtering, vpn connections, etc. > > Thanks in advance for your help. > -- > ************************************************************ > Dana Holland dana.holland@xxxxxxxxxxxxxxxxxx 903-875-7355 > Navarro College Corsicana, TX > http://www.navarrocollege.edu/staff_pages/dana/dana.html > ************************************************************ > All opinions stated are my own, and probably don't even > vaguely resemble those of Navarro College. :) Hope that helps. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
