[Prev][Next][Index][Thread]

Re: Bridging



On Tue, 30 Jul 1996, Meir Litmanovich wrote:

> > Hey guys! Checkpoint are porting FireWall-1 to Linux! YESH!!! :-)
> 
> Such as I know their firewall pretty expencive .
> And somebody said me ,that ,when their Firewall-1 License expired
> this firewall simply begined to forward all the packets ,so this
> guy in one cool day see that his firm allready some monthes don't
> have any firewall :-)
> And why it's better then ipfw ?
> 
>          Meir .

I could take a shot at this. I used to work for checkpoint.  The
firewall-1 software has a number of benefits you don't get with ipfw
(yet). For example, FW-1 keeps "state" on your ftp control connection and
examines your packets to see if you are requesting a data connection. If
so, the filter allows that connection through.  This eliminates the PASV
ftp sessions that are sometimes needed for firewall configurations. In
addition FW-1 has a fancy user interface with pretty little icons for
various IP services.

Under the hood, it has a filtering language comparable to other filtreing
languages. The code is efficient and robust (at least on Unix boxes). 

The package is marketed by checkpoint as well as Sun. Last time  I
looked the price It was in the $10K range.

The firewalls I've built from Linux do not keep state. I am not aware of
any 'state' keeping code for Linux. I think that Linux's simpler, cleaner
design will provide a more robust firewall with greater bandwith on
the same policy/hardware as checkpoint.

It is difficult for me to imagine that there will be much profit for FW-1
on linux. However, checkpoint is trying to make a crypto implementation
that allows virtual private networks. To do that, they probably need to
convince corporations that they can do _every_ platform. I imagine that
most large companies will have linux running somewhere in thier networking
by the end of this year, if they do not already.

I recently built a linux based firewall for a $250 million per year
corporation in Israel. I trust it a great deal more than a proprietary
firewall.  I can see the code with my own eyes and I can certify that I
found no trap doors. I used some hand coded web scripts to build and easy
looking user interface to allow the company guys to change the filters. I
couldn't spend the time optimizing the interface that I wanted, but it
works ok and the place seems to be free of breakins.

--randy

                       Randy Wright randy@ramat-negev.org.il
                     System Administrator - Ramat-Negev FreeNet
                          http://www.ramat-negev.org.il/
                           07-6572671 voice-telephone


References: