[Dshield] firewall help request

Don Peasley dPeasley at epix.net
Fri Oct 3 20:57:20 GMT 2003

Patching, logging, and rules can all be configured to use scripts, 
rsync, etc. so that one master can update the rest of the sytems without 
additional overhead.  Centralized management is just a matter of initial 
configuration and design, just as with cisco, checkpoint, or any other 
appliance.  It's been a while since I looked, but doesn't checkpoint run 
on top of a modified unix or windows kernel which also requires updates?

Roman Fomichev wrote:

> Cyberguard has per applience licencing. It costs alot. but security 
> allways costs...
> About what scalability you're talking about? I don't think, you can 
> manage some dozens of linux boxes so easily as cyberguards (or ciscos, 
> or checkpoints, or sonicwalls, or...) managed thru centalized management.
> Ok, I wasn't right about iptables capabilities(sorry, I'm not working 
> with linux so much this days ).
> If we are talking about small amount of boxes - yes, linux means more 
> scalability, more features, more posibilities.
> but in case of running more then N boxes(N<10), linux firewalls TCO 
> hardly will be cheeper: you need to patch every box separately, to 
> modify rules separately. So in big networks you receive more overhead, 
> more complex network to understand, so more propability of having 
> holes in security.
> On Fri, 3 Oct 2003 10:42:05 -0400, Mark Tombaugh 
> <mtombaugh at alliedcc.com> wrote:
>> On Friday 03 October 2003 01:34 am, Roman Fomichev wrote:
>>> As I understand, John, you can't do nothing then packet filtering on
>>> linux. No stateful firewall, no proxing technologies....
>>> Linux with iptables is good for very low cost solutions or for home
>>> solution, where two skilled people using opera browser surh the net.
>>> But if you are talking about normal security budget, you need to 
>>> have such
>>> solution that can protect you users running IE.
>>> Cyberguard with proxying technologies or equivalent solutions from 
>>> other
>>> vendors
>> This is absolute fud. Iptables is used extremely effectively on very 
>> large
>> corporate, governmental , and educational networks, in order to provide
>> scalable, stateful, packet filtering within tight budgets, which is 
>> why it is
>> also found on small home LANs.
>> Before you make anymore rifrikindiculous comments like this, educate 
>> yourself:
>> <http://www.netfilter.org/documentation/>
>> <http://www.linuxsecurity.com/feature_stories/feature_story-148.html>
>> <http://www.securityfocus.com/infocus/1531>
>> Budget? Whats a Cyberguard cost these days? Is it per seat licensed 
>> like Cisco
>> is?
>> Less fud more facts please.
>> (Sorry for the redundant post, I couldnt help myself)

More information about the list mailing list