hardware firewall buying

I'm in the market for a hardware router/firewall device as I
am FINALLY moving to broadband... cable to be precise.

I've looked at a few models from both Linksys and D-link. I
also took a gander at some websites that have customer reviews
to get an idea on what models have/don't have problems. The
problem is that most of what I read are complaints, no matter
what model I'm looking at.

I've also tried a few review websites but they didn't seem offer
me much information beyond what's in the manufacturers brochures.

I'm kind of fond of the Linksys BEFSX41.

Can anyone offer some comments that might help my decision
making process?

What I'd love to find is a website that does reviews and
comparisons like DPReview.com does for digital cameras. They
are extremely in depth and have a search matrix to help you
decide what models meet your requirements.

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Skywise skrev:
> I'm in the market for a hardware router/firewall device as I
> am FINALLY moving to broadband... cable to be precise.
>
> I've looked at a few models from both Linksys and D-link. I
> also took a gander at some websites that have customer reviews
> to get an idea on what models have/don't have problems. The
> problem is that most of what I read are complaints, no matter
> what model I'm looking at.
>
> I've also tried a few review websites but they didn't seem offer
> me much information beyond what's in the manufacturers brochures.
>
> I'm kind of fond of the Linksys BEFSX41.
>
> Can anyone offer some comments that might help my decision
> making process?
>
> What I'd love to find is a website that does reviews and
> comparisons like DPReview.com does for digital cameras. They
> are extremely in depth and have a search matrix to help you
> decide what models meet your requirements.
>
> Brian

I have't read up on this site for along time now,
but perhaps you can find something useful here.
http://www.tomsnetworking.com/lans_routers/index.html
/Anders

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Anders wrote in news:od91h.21195$E02.8627
@newsb.telia.net:


> I have't read up on this site for along time now,
> but perhaps you can find something useful here.
> http://www.tomsnetworking.com/lans_routers/index.html

This is much better than the sites I'd previously found.

Thanks.

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Leythos wrote in news:48b1h.20031$pq4.14052
@tornado.ohiordc.rr.com:


> If the device you are considering is not on a list of CERT approved
> appliances, then it's not really a firewall. At least not to the level
> that you can feel comfortable that you will be secure.
>
> NAT Routers ARE NOT FIREWALLS.

Thanks for the education. I found cert.org and am still browsing.
Lot's to learn.

I keep seeing people say that hardware firewalls are better than
software firewalls, and figured I'd get a router/firewall instead
of just a plain router. BTW, I use Kerio 4 and feel comfortable
with its performance.

After reading some of the reviews on the website recommended by
Anders, I'm getting the impression that I might want something
more than these "all-in-one" broadband router/firewalls.

I may be just a "home user" but I always seem to have this knack
for pushing the envelope of my computer equipment.

Sure, these little devices might be nice and cheap, but as they
say, you get what you pay for.

Perhaps what I shoudl be looking for is something on the low
end of "industrial strength" or "pro-sumer" or "professional
grade".

Does anyone have some suggestions along these lines for some
makes/models I might be interested in?

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Skywise wrote:
> Perhaps what I shoudl be looking for is something on the low
> end of "industrial strength" or "pro-sumer" or "professional
> grade".
>
> Does anyone have some suggestions along these lines for some
> makes/models I might be interested in?

Cisco PIX 501 or Juniper Netscreen 5GT.

Re: hardware firewall buying

Hi

What you can do is as a home user you can look in to some kindaa UTM
Device instead of just a NAT Router/Firewall.Start searching for good
UTM device .

I used Sonicwall and Fortinet at starting


CK




Skywise wrote:
> Leythos wrote in news:48b1h.20031$pq4.14052
> @tornado.ohiordc.rr.com:
>
>
> > If the device you are considering is not on a list of CERT approved
> > appliances, then it's not really a firewall. At least not to the level
> > that you can feel comfortable that you will be secure.
> >
> > NAT Routers ARE NOT FIREWALLS.
>
> Thanks for the education. I found cert.org and am still browsing.
> Lot's to learn.
>
> I keep seeing people say that hardware firewalls are better than
> software firewalls, and figured I'd get a router/firewall instead
> of just a plain router. BTW, I use Kerio 4 and feel comfortable
> with its performance.
>
> After reading some of the reviews on the website recommended by
> Anders, I'm getting the impression that I might want something
> more than these "all-in-one" broadband router/firewalls.
>
> I may be just a "home user" but I always seem to have this knack
> for pushing the envelope of my computer equipment.
>
> Sure, these little devices might be nice and cheap, but as they
> say, you get what you pay for.
>
> Perhaps what I shoudl be looking for is something on the low
> end of "industrial strength" or "pro-sumer" or "professional
> grade".
>
> Does anyone have some suggestions along these lines for some
> makes/models I might be interested in?
>
> Brian
> --
> http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
> Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
> Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
> Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Mon, 30 Oct 2006 17:45:39 GMT, Leythos wrote:


>
>If it qualified, technically, then it would have been submitted to Cert
>for certification.
>

Err cobblers.

Are you seriously trying to argue that a Cisco ASA somehow isn't a firewall
because ICSA certification is in process and hasn't been granted yet ?

Do you expect people to believe that ICSA certified Checkpoint FW-1 running
on Splat is a 'firewall' but the exact same code running on a standalone
Redhat or Nokia IP series is not ?

How can you possibly assert that a cisco device running Firewall Feature
set cannot be a firewall because it has not been submitted to ICSA, but
those submitted devices running the exact same code somehow are ?

ICSA certfication is no guarantee of anything let alone fitness for
purpose.

According to

https://newlabs.icsalabs.com/icsa/product.php?tid=fghhf456fg h

the Chocolate FireGuards you're so fond of peddling are neither ISCA 4.0 or
4.1 certified, is that why they have been ripped and replaced on at least
two large watchguard customers here in the UK I know of.

Or is it because they are unsupportable bug ridden rubbish ?


greg
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Mon, 30 Oct 2006 20:49:34 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> On Mon, 30 Oct 2006 17:45:39 GMT, Leythos wrote:
>>
>>
>> >
>> >If it qualified, technically, then it would have been submitted to Cert
>> >for certification.
>> >
>>
>> Err cobblers.
>>
>> Are you seriously trying to argue that a Cisco ASA somehow isn't a firewall
>> because ICSA certification is in process and hasn't been granted yet ?
>>
>> Do you expect people to believe that ICSA certified Checkpoint FW-1 running
>> on Splat is a 'firewall' but the exact same code running on a standalone
>> Redhat or Nokia IP series is not ?
>>
>> How can you possibly assert that a cisco device running Firewall Feature
>> set cannot be a firewall because it has not been submitted to ICSA, but
>> those submitted devices running the exact same code somehow are ?
>
>How can you possibly assert that a 457 makes the car fast?
>

As usual you've proven incapable of addressing a single point raised.

By your own logic Watchguard products are now not firewalls.

[diversionary fallacious irrelevance binned]
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Mon, 30 Oct 2006 22:10:35 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> On Mon, 30 Oct 2006 20:49:34 GMT, Leythos wrote:
>>
>> >In article , me@privacy.org
>> >says...
>> >> On Mon, 30 Oct 2006 17:45:39 GMT, Leythos wrote:
>> >>
>> >>
>> >> >
>> >> >If it qualified, technically, then it would have been submitted to Cert
>> >> >for certification.
>> >> >
>> >>
>> >> Err cobblers.
>> >>
>> >> Are you seriously trying to argue that a Cisco ASA somehow isn't a firewall
>> >> because ICSA certification is in process and hasn't been granted yet ?
>> >>
>> >> Do you expect people to believe that ICSA certified Checkpoint FW-1 running
>> >> on Splat is a 'firewall' but the exact same code running on a standalone
>> >> Redhat or Nokia IP series is not ?
>> >>
>> >> How can you possibly assert that a cisco device running Firewall Feature
>> >> set cannot be a firewall because it has not been submitted to ICSA, but
>> >> those submitted devices running the exact same code somehow are ?
>> >
>> >How can you possibly assert that a 457 makes the car fast?
>> >
>>
>> As usual you've proven incapable of addressing a single point raised.
>
>Actually, I addressed specifically what you posted.

You have done nothing of the sort.

I fail to see the relevance of the non sequitur posted above.


>> By your own logic Watchguard products are now not firewalls.
>
>Yep, that would seem so,

Proof if any were necessary of the fallacious nature of your argument.

> and I've contacted ICSA Labs and WatchGuard
>about it to determine what the real issue is - as they were still listed
>in June of this year.
>
>> [diversionary fallacious irrelevance binned]
>
>Which would seem to indicate that most of your reply was binned.
>
>Why can't you address anything I posted?

I have repeatedly, it is not the fault of the audience that the ridiculous
premise you've trotted out here over the past several years, has hoisted
you upon your own petard.

You cannot explain why identical code running on one 'certified' platform
suddenly stops doing what it's supposed to do when running on an
'uncertified' one.

The notion that certification provides some expectation of 'working
properly' is arrant nonsense. ICSA guarantee no such thing. Read their
disclaimers sometime.
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Spender wrote in
news:ehdck2tejdcsopqb8lhf2bu173l3iudc7r@news.easynews.com:

> On Sun, 29 Oct 2006 21:20:30 -0000, Skywise
> wrote:
>
>>I'm kind of fond of the Linksys BEFSX41.
>>
>>Can anyone offer some comments that might help my decision
>>making process?
>
> For most home users I suggest the BEFSX41. It is a solid unit that does
> it's job well. Having SPI (Stateful Packet Inspection) it does
> technically quality as a firewall under the RFC2979 guidelines (I
> emailed the author of RFC2979 and he agreed that a packet filter in a
> NAT router does qualify the device as a firewall.)
>
> Leythos disagrees, but since he is a much higher level guru, and
> regularly works with much more expensive equipment, he has good reason
> to favor full featured hardware firewalls.
>
> But for home use, a BEFSX41 is a good deal and should serve you well.
> The only caveat is that you need to take the time to find out about the
> kinds of exploits that the lower end units aren't designed to detect or
> prevent.
>
> The BEFSX41 can lock out all ActiveX, Java, Cookies, etc, if you like.
> But that would be a major pain. Your best bet is to add a good popup
> blocker (not the one in IE... it sucks. I use PopUpCop.), take some care
> as to where you surf, have a good anti-virus program, etc.
>
> A BEFSX41 and a little knowledge can protect you very well.

Well, I think I have *some* knowledge. I run Kerio. I have Firefox 2,
which has a popup blocker. I do have Java on only because many sites
I visit use it, and those I do trust. I have Norton 2000 for a/v and
scan the files I donwload. I use mailwasher to keep out the spam, and
I don't go around opening attachments willy-nilly anyway; that's just
suicidal if you ask me. I've also disabled a lot of unnecessary services
in W2K. I practice safe net. In my ten years on the net I've only
been hit once, and it turned out to be my own damned fault anyway.

It's beginning to sound like the BEFSX41 will do me just fine, as it
will compliment the things I already do to be safe. If, in the future,
I feel the need for more, I can always add a "real" firewall later on.

Now to go put on my asbestos armor as the flames seem to be getting
a bit warm around here.... :)

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Tue, 31 Oct 2006 06:18:20 GMT, Spender wrote:

>On Tue, 31 Oct 2006 01:35:23 -0000, Skywise

>There is the occasional flame war about the definition of the term
>firewall. Leythos is a purest and adamant about the definition.

No, he's flogging a rather pedestrian line of applicances.

>The fact remains that if you want reliable information about firewalls and
>security, Leythos is the one to ask.

Except his answer changes everytime the flaws in his previous one is
detailed.

Leythos still cannot explain why identical firewall code, identically
configured on two platforms suddenly diverge into a firewall/'non firewall'
state when only one of those platforms gains ICSAlabs certfication.



greg

--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

On Tue, 31 Oct 2006 02:33:09 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>>
>> You cannot explain why identical code running on one 'certified' platform
>> suddenly stops doing what it's supposed to do when running on an
>> 'uncertified' one.
>
>Sure, I've explained my position on it several times, why keep ignoring
>it.

Nonsense, you have repeatedly expounded a thoroughly fallacious line on the
matter and it's been found wanting.


>Here it is again: A certified solution gives me a set of testing,
>hardware, firmware, specifics that show that it's passed X tests.

Which proves sweet FA except that it can pass a test.

>The same solution on another hardware, firmware, or some other variant,
>may or may not pass certification, and may or may not be as secure.

"may or may not"

Note the wriggling. Previously our friend has sworn blind that only ICSA
certified solutions were really firewalls.

Now that Chocolate Fireguard products are uncertified, one can only wonder
at the swinging in the wind.


>> The notion that certification provides some expectation of 'working
>> properly' is arrant nonsense. ICSA guarantee no such thing. Read their
>> disclaimers sometime.
>
>And they clearly say that under a given set of testing conditions, with
>specific hardware/firmware, that the device has passed certification (or
>not).

More back peddling .

Passing certification does not and has never implied 'working properly'
(your words, not mine)


>So, unless you continue to be as dense as a rock, even you can see that
>certification has merit - that it can give an expectation of the device
>being able to provide the tested functions/methods.

Oh puhleeeze.

>I've never said that an uncertified device can't protect you, or that it
>can't protect you as well, never,

Au contraire, you have made that claim several times, would you like me to
embarrass you further by quoting chapter and verse about alleged 'non
firewalls'.


>but I clearly state that a certified
>solution is very likely to be able to provide what it claims.

Our friend wriggles yet again.



greg

--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Tue, 31 Oct 2006 12:10:17 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> >And they clearly say that under a given set of testing conditions, with
>> >specific hardware/firmware, that the device has passed certification (or
>> >not).
>>
>> More back peddling .
>>
>> Passing certification does not and has never implied 'working properly'
>> (your words, not mine)
>
>As long as you play the "out of context" game I'm not going to keep
>discussing this with you.

I have not quoted anything out of context, you have repeatedly asserted
that the lack of certification somehow turns a firewalling product from a
functional state into a non functional one. That's fact, you cannot deny
it.

You have repeatedly shown a complete lack of comprehension w.r.t the
operation of L3 packet filtering and even gone as far as to deny the
relevant RFCs and supporting evidence from Ranum, Bellovin et al, all on
the basis that the OSI documentation doesnt mention the term 'firewall'
anywhere.

>I will say it again:
>
>Having a certified appliance means that the device has performed as
>specified in the testing and is considered a valid firewall solution in
>the tested configuration.

Rubbish, all that says is that it passed a test, a test the vendor paid
ICSA to do.

It says absolutely nothing about the product being a 'valid firewall
solution' in the real world.

You have been told this several times by yours truly and other posters.

Your self serving cluelessness on this and other security related topics is
not the fault of the audience.

ISTR to remember that you're the 'expert' who advocated pointless MAC
filtering with WPA when even a brief familiarisation of how WPA works,
makes it self evident that WPA does implicit MAC filtering as standard.





[yet more self serving contradictory back peddling rubbish binned]
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

On Tue, 31 Oct 2006 12:11:29 GMT, Leythos wrote:

>In article <5naek25nfjujga8a2v0fv9iaoau49miaj3@4ax.com>, me@privacy.org
>says...
>> Leythos still cannot explain why identical firewall code, identically
>> configured on two platforms suddenly diverge into a firewall/'non firewall'
>> state when only one of those platforms gains ICSAlabs certfication.
>
>Yes, I have, several times, and you keep ignoring it.

You haven't, I have asked the question several times.

How does ICSA certification make Checkpoint FW-1 running on SPLAT or Nortel
ASF a 'firewall', when running identical code running on non ICSA
certified Redhat, Nokia LIPSO or Crossbeam turns them into alleged 'non
firewalls'.

Simple question. What is your answer relating to the 'specific' platforms
mentioned above.


>There is more to a firewall being secure than how you configure the
>firewall application itself.

Which has absolutely sweet FA to do with ICSA labs and their certification.
> There are a number of variables that impact the solution,

Nebulous waffle.

>which you seem to not understand or which you want to
>ignore.


Oh puhleeze, do not teach your grandmother how to suck eggs.
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Wed, 01 Nov 2006 08:25:32 GMT, Spender wrote:


>>No, he's flogging a rather pedestrian line of applicances.
>
>Lethois hasn't flogged the likes of the Linksys NAT routers.

He has repeatedly peddled Watchguard appliances purely on the basis that
their more expensive models were 'certified'.


> On the
>contrary he has stated quite clearly that they have their place and will
>function perfectly well for many home users.

Wrong, if you read the documentary record he has claimed on several
occasions that products without ICSA certification couldn't possibly be
firewalls.

>
>>>The fact remains that if you want reliable information about firewalls and
>>>security, Leythos is the one to ask.
>>
>>Except his answer changes everytime the flaws in his previous one is
>>detailed.
>>
>>Leythos still cannot explain why identical firewall code, identically
>>configured on two platforms suddenly diverge into a firewall/'non firewall'
>>state when only one of those platforms gains ICSAlabs certfication.
>
>I saw his explanation. Maybe you didn't read his response thoroughly.

I did, it is complete uninformed bollocks. The guy makes authorative
statements about platforms he knows absolutely nothing about.

Leythos has previously claimed that IPTables running on Sveasoft couldn't
possibly be a valid firewall solution because it wasn't ICSAlabs certfied.
When it was pointed out that ICSA certified Astaro ASL uses IPTables to
implement its security policy, Leythos had no answer.

There is absolutely no difference between using ASL to create a secure
policy versus using Smoothwall or sacrificing barnyard fowl to achieve the
same end by hand on the exact same hardware.

Security is a process not a product.

Leythos has previously claimed that IPFilter couldn't possibly be a valid
firewall solution because it wasn't ICSA labs certified, when it was
pointed out that Sun actively maintain and support IPFilter on Solaris as
their preferred firewall solution, he changes the terms of reference to
'tested and inspected' by a 'reputable' company.

etc
etc
etc


> His
>idea is that the same code on different hardware might not work
>identically. One might meet certification tests, and one might not.

His 'idea' says nothing of the sort,

Why is a 'certified' system running Checkpoint FW1 SecurePlatform a
'firewall', but the exact same code running on the exact same hardware
hosted on a non certified Redhat install is a somehow 'non firewall', his
words regarding all products without ICSAlabs certification not mine.

we are expected to believe that ISCA certification grants some level of
fitness for purpose which in reality doesn't exist outside of configuring a
submitted system + $10k to pass ICSAlabs certification.





greg



--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Wed, 01 Nov 2006 15:48:03 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> On Wed, 01 Nov 2006 08:25:32 GMT, Spender wrote:
>>
>>
>> >>No, he's flogging a rather pedestrian line of applicances.
>> >
>> >Lethois hasn't flogged the likes of the Linksys NAT routers.
>>
>> He has repeatedly peddled Watchguard appliances purely on the basis that
>> their more expensive models were 'certified'.
>
>No, if you go back and check, I've said I pick WG over all other vendors
>products because of the features,

You Sir, are not a particularly good liar.

You made every claim mentioned by yours truly in this thread

http://groups.google.co.uk/group/comp.security.firewalls/tre e/browse_frm/thread/bec0662f5405b644/55ce1b4c2b0c305f?rnum=1 &hl=en&q=%22Wrt54G+is+a+FW+appliance%3F%22&_done=%2Fgroup%2F comp.security.firewalls%2Fbrowse_frm%2Fthread%2Fbec0662f5405 b644%2F55ce1b4c2b0c305f%3Ftvc%3D1%26q%3D%22Wrt54G+is+a+FW+ap pliance%3F%22%26hl%3Den%26#doc_55ce1b4c2b0c305f

or

http://snipurl.com/10y9y

for those with wrapping issues.

The google record and ridiculous attempts to spin your way out of it speaks
for itself.



greg





--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Wed, 01 Nov 2006 18:24:48 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> Are you seriously trying to argue that a Cisco ASA somehow isn't a firewall
>> because ICSA certification is in process and hasn't been granted yet ?
>
>Since I've not making a statement of it being or not being a firewall,

Our hair splitting chum has said precisely that regarding non ICSA
certified firewalls.


"I'll remind everyone that until it's been proven to be a firewall by
some independent authority on the matter as accepted by the community,
that it's not a firewall either. "

"As it is now, unless we inspect the code, line by line, and then run a
battery of tests against the inside and outside interfaces, we don't know
if it's a firewall. "




greg

--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

On Wed, 01 Nov 2006 18:32:11 GMT, Leythos wrote:

>In article <4vkhk2tusirbruo08j1tr8kvgudauogv0r@4ax.com>, me@privacy.org
>says...
>> On Wed, 01 Nov 2006 15:48:03 GMT, Leythos wrote:
>>
>> >In article , me@privacy.org
>> >says...
>> >> On Wed, 01 Nov 2006 08:25:32 GMT, Spender wrote:
>> >>
>> >>
>> >> >>No, he's flogging a rather pedestrian line of applicances.
>> >> >
>> >> >Lethois hasn't flogged the likes of the Linksys NAT routers.
>> >>
>> >> He has repeatedly peddled Watchguard appliances purely on the basis that
>> >> their more expensive models were 'certified'.
>> >
>> >No, if you go back and check, I've said I pick WG over all other vendors
>> >products because of the features,
>>
>> You Sir, are not a particularly good liar.
>>
>> You made every claim mentioned by yours truly in this thread
>>
>> http://groups.google.co.uk/group/comp.security.firewalls/tre e/browse_frm/thread/bec0662f5405b644/55ce1b4c2b0c305f?rnum=1 &hl=en&q=%22Wrt54G+is+a+FW+appliance%3F%22&_done=%2Fgroup%2F comp.security.firewalls%2Fbrowse_frm%2Fthread%2Fbec0662f5405 b644%2F55ce1b4c2b0c305f%3Ftvc%3D1%26q%3D%22Wrt54G+is+a+FW+ap pliance%3F%22%26hl%3Den%26#doc_55ce1b4c2b0c305f
>>
>> or
>>
>> http://snipurl.com/10y9y
>>
>> for those with wrapping issues.
>>
>> The google record and ridiculous attempts to spin your way out of it speaks
>> for itself.
>
>Since you could not quote what I said, here it is:
>
>== if you can't
>== post a link to a reputable company that certifies it as a firewall
>== then it's still just a test project or a hope-to-be firewall
>== solution.
>
>And I stand by that statement - if the solution has not been tested,
>proven by an independent company, to protect the network, as
>designed/required, then you can call it anything you want, but it's just
>a test or a Hope-To-Be Firewall solution.

There you have it folks.

Cisco's ASA which is based on over a decades worth of PIX development is
only a 'hope to be' firewall solution, because it's ICSAlabs certification
is pending.

Darren Reeds IPFilter as shipped on Solaris as standard and supported by
Sun as their preferred packet filtering solution is a 'hope to be' firewall
solution.

>I can install FW-1 in an unsecure manner,

I can well believe that.

>on an improperly configured
>machine, and it won't be considered a firewall solution, it would be
>considered a MESS and an unsecured design.

That applies to all firewall installations, rendering the notion of
anything being 'proven' by ICSAlabs certification superfluous.

> Like it or not, just because
>you use FW-1 or some other product that HAS been included in a
>test/validation,

Firewall-1 running on IPSO or Crossbeam are not ICSA certified solutions.

Note to the audience: Nokia IP Series and Crossbeam C/X series running
Firewall-1 are the hosting platforms of choice for Banks, Telcos and other
large enterprises who run Checkpoint software to protect their networks.

The 'expert' here has just deemed them 'hope to be' firewall solutions.

No more comment is necessary really.


>until your solution, as built, has been tested (or you
>use the solution that was tested),

ROTFL! I cannot believe he's coming out with the exact same b*llocks yet
again.

How one possibly use 'the solution that was tested' when the security
policy loaded onto said device will always be different ?

>you don't really know what you've
>got, other than a bunch of hope and hot air.

Oh Gawd. Here we go again argumentum ad nauseum, from the thread link I
posted previously.

"I'll remind everyone that until it's been proven to be a firewall by
some independent authority on the matter as accepted by the community,
that it's not a firewall either. "

"As it is now, unless we inspect the code, line by line, and then run a
battery of tests against the inside and outside interfaces, we don't know
if it's a firewall. "



greg



--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Hi Spender !

Have a look at the TrendNet router TW100-BRV204.
I like it very much - it has SPI, you can setup firewall rules for in and
outgoing comm, and it even has VPN. I have used it for ½ year now and it
performs well (I have tried to have about 30 connection open and active at
the same time without any problems). I say Go Fore It ;-)

My regards
Søren

"Spender" skrev i en meddelelse
news:ehdck2tejdcsopqb8lhf2bu173l3iudc7r@news.easynews.com...
> On Sun, 29 Oct 2006 21:20:30 -0000, Skywise
> wrote:
>
>>I'm kind of fond of the Linksys BEFSX41.
>>
>>Can anyone offer some comments that might help my decision
>>making process?
>
> For most home users I suggest the BEFSX41. It is a solid unit that does
> it's job well. Having SPI (Stateful Packet Inspection) it does technically
> quality as a firewall under the RFC2979 guidelines (I emailed the author
> of
> RFC2979 and he agreed that a packet filter in a NAT router does qualify
> the
> device as a firewall.)
>
> Leythos disagrees, but since he is a much higher level guru, and regularly
> works with much more expensive equipment, he has good reason to favor full
> featured hardware firewalls.
>
> But for home use, a BEFSX41 is a good deal and should serve you well. The
> only caveat is that you need to take the time to find out about the kinds
> of exploits that the lower end units aren't designed to detect or prevent.
>
> The BEFSX41 can lock out all ActiveX, Java, Cookies, etc, if you like. But
> that would be a major pain. Your best bet is to add a good popup blocker
> (not the one in IE... it sucks. I use PopUpCop.), take some care as to
> where you surf, have a good anti-virus program, etc.
>
> A BEFSX41 and a little knowledge can protect you very well.

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Wed, 01 Nov 2006 21:39:00 GMT, Spender wrote:


>>Wrong, if you read the documentary record he has claimed on several
>>occasions that products without ICSA certification couldn't possibly be
>>firewalls.
>
>Whether or not he considers them to be real firewalls is just semantics.

Quite,

>The RFC2979 document considers a simple packet filter to be a firewall.

Why are you telling me this, tell him. You'll get no argument from me.
I am not the one claiming that MJR got it all wrong.

>Regardless, Leythos has never said that a lower end unit can't provide
>security to a home user.

He has, on several occasions. A linksys wrt-54gs is a 'low end unit' the
last time I looked.

> He has simply pointed out that such units won't
>ever provide complete security.

Incorrect, he has this very evening claimed that 'uncertified' solutions
are not firewalls.

A wrt-54gs running sveasoft provides equivalent if not better functionality
than a Netscreen 5XT.

A NS 5XT is not a 'low end unit'.

>>Leythos has previously claimed that IPFilter couldn't possibly be a valid
>>firewall solution because it wasn't ICSA labs certified, when it was
>>pointed out that Sun actively maintain and support IPFilter on Solaris as
>>their preferred firewall solution, he changes the terms of reference to
>>'tested and inspected' by a 'reputable' company.
>
>Pure nitpicking.

Pointing out the circular nonsense at the heart of his argument is not
'nitpicking'.

>Much ado over nothing if you ask me.

>Why does it upset you
>so much?

'upset' ?

How could one possibly be 'upset' to see someone's regularly repeated
cobblers implode when it was pointed out that Watchguard products are no
longer ICSA certified.

Therefore by their own logic, the product is a 'hope to be' firewall
solution, always the bridesmaid, never the bride.

I haven't laughed so hard in ages.


greg
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

"Yohann" wrote in message
news:Xns986ED95428A24yoyass@69.28.186.158...
> Leythos wrote in
> news:oDy1h.20136$pq4.12516@tornado.ohiordc.rr.com:
>
>> In article , yoyyassin@gmail.com
>> says...
>>> Skywise wrote in news:12ka6ouq9uf9s54
>>> @corp.supernews.com:
>>>
>>>
>>> I'm on cable, and am using a Linksys Wireless-G Cable Gateway
>>> (WCG200, ver. 2)
>>>
>>> It's a cable modem, wireless/cable router, and an SPI firewall all
>>> rolled into one.
>>>
>>> Nothing gets through its firewall. Nothing.
>>
>> You are incorrect - the device permits all outbound traffic, unless
>> you've configured it to block outbound. The device also permits all
>> forms of files to be downloaded via HTTP and SMTP.
>>
>> So, to say that "Nothing" gets through is very misleading and only
>> talking about 1 direction.
>>
>
> Anyone who computer is permitting unwanted "outbound" traffic needs to
> format their harddrive and rebuild their machine; they've been hopelessly
> compromised at that point.

Really? It sounds like some craziness. I wonder why, maybe it's due to some
alley happenings and some bitch-slapping that never happened and should have
happened. Maybe, some bitch-slapping needed to be done at that time to knock
some kind of sense into you.

So what about a driver that's on the computer that's sending outbound and
the person tracks it down to the driver and disables the driver or removes
the driver?

So, should the person just wipe out and format HD on that too?

One shoe doesn't fit all nor does one situation/solution fit all.

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Spender wrote in news:rrqdk25i0tii143vka13gbq1idc38qgbp9
@news.easynews.com:


> But there will always be that clueless portion of PC users


Which in my experience is 90% plus of PC users.

Brian
--
http://www.skywise711.com - Lasers, Seismology, Astronomy, Skepticism
Seismic FAQ: http://www.skywise711.com/SeismicFAQ/SeismicFAQ.html
Quake "predictions": http://www.skywise711.com/quakes/EQDB/index.html
Sed quis custodiet ipsos Custodes?

Re: hardware firewall buying

Leythos skriver:
> In article , me@privacy.org
> says...
> No, if you go back and check, I've said I pick WG over all other vendors
> products because of the features, the built-in proxy services, the fact
> that I can buy an new soft key to increase performance and features,
> that I get very good support, etc...

Doesn't the ablity to by soft keys to upgrade performance, means that
someware in the software is a built in downgrade oc preformace so it
doesn't give you full speed untill you pay more. Features I can
understand and accept, performace sound hard to accept.

/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

Spender skriver:
> On Wed, 01 Nov 2006 10:43:45 +0000, Greg Hennessy wrote:

> And there is the rub. Since the code was not tested on any given unit, and
> peculiarities of a given system might cause the code to malfunction.

Testing can never show that something works, that is just abouve the
possibilities of testing. The only thing you can show by testing is
that something doesn't work. You can only find problems never
correctness, so a tested and certified firewall isn't show to be
working, only that the tests didn't find any problems.

There may still be even more problems on the certified hardware,
solution than on other solutions, testing can never tell anything
about this.

/ Balp, amoung other stuff certified tester.
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

Leythos skriver:
> In article , me@privacy.org
> says...
>> A wrt-54gs running sveasoft provides equivalent if not better functionality
>> than a Netscreen 5XT.
>
> Please show me where independent testing shows that the solution
> provides clear protection against some set of tests.

Do you understand the basic fundations of what testing is? What do you
think shuch testing can show, do you think is as usefull as
"independet" benchmarks. (The kind of stuff you get from paying a
company to run tests against your product that sais thats it better
woring that something else.)

After having worked with the code for some of the major firewall
manifactures, (certified by your loved testers) and other open code, I
know that OpenBSD code will win everyday. The number of problems in
that code are far less. However they are not directly certified
anyware.

/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

Leythos skriver:
> In article , me@privacy.org
> says...

> A non-certified solution means I have no testing/certification to
> provide me with an expectation that a solution is going to work. Do not

Test can never arcihe your goal, you are correct in that no testing
doesn't prove it will work. However the oposite is also true all the
tesing in the world can't prove that it will work. You are as bad out
with the tested as the non tested solution.

> So, again, to make it simple for you - Certification gives a user the
> expectation that the solution will work as tested. Without certification
> you are on your own.

With certifications you are still on your own, the difference is nill,
nada. Certification tell you that the marketing department think that
the badge looks good and will fool someone into beling that they don't
have to test and verify by them selfs. It sell some kind of good
feeling, keeping the marketing happuy, adding much to your cost.

Thaing itn for that it proves something about security or quality is
the wrong appratch. It proves about the willingness to pay and maybe
about the finasical state of the provider. This can be usefull
information, but it's still doesn't talk about security.


/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

On Thu, 02 Nov 2006 02:07:22 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> A wrt-54gs running sveasoft provides equivalent if not better functionality
>> than a Netscreen 5XT.
>
>Please show me where independent testing shows that the solution
>provides clear protection against some set of tests.

Oh Gawd, not this specious nonsense again.

By that logic, the Watchguard products you peddle are no longer fit for any
purpose because they have no ICSA certification.

Are you seriously suggesting that no one should buy Watchguard products
until they are 'independently' tested and can demonstrate 'clear
protection' as a consequence.

Simple question, yes or no.





>
>What scans/tests have been run against the solution and what level of
>firmware was the tested device running?
--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Thu, 02 Nov 2006 12:09:14 GMT, Leythos wrote:

>In article , me@privacy.org
>says...
>> On Thu, 02 Nov 2006 02:07:22 GMT, Leythos wrote:
>>
>> >In article , me@privacy.org
>> >says...
>> >> A wrt-54gs running sveasoft provides equivalent if not better functionality
>> >> than a Netscreen 5XT.
>> >
>> >Please show me where independent testing shows that the solution
>> >provides clear protection against some set of tests.
>>
>> Oh Gawd, not this specious nonsense again.
>>
>> By that logic, the Watchguard products you peddle are no longer fit for any
>> purpose because they have no ICSA certification.
>>
>> Are you seriously suggesting that no one should buy Watchguard products
>> until they are 'independently' tested and can demonstrate 'clear
>> protection' as a consequence.
>>
>> Simple question, yes or no.
>
>If they don't regain their status, which is currently being questioned,
>then I won't recommend them any more. That being said, they still show
>that their products are certified on their own website, and their
>products were certified as of June this year, and I'm waiting on a reply
>from WG, which has indicated it's talking with them about why they were
>no longer listed.

The usual evasive nonsense one has come to expect.

Call yourself a professional ?

How could you possibly recommend a product that has no ICSA certification
'today'.

Please provide the 'independent' testing demonstrates that the solution
provides clear protection against some set of tests.

Are you going to tell your existing customers that the product you sold
them cannot possibly be considered as a firewall ?



greg

--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Sebastian Gottschalk wrote:
> Duane Arnold wrote:
>
>
>>So what about a driver that's on the computer that's sending outbound and
>>the person tracks it down to the driver and disables the driver or removes
>>the driver?
>
>
> There's no firewall needed or useful for such a task.
>
>
>>So, should the person just wipe out and format HD on that too?
>
>
> Honestly, if it's an undocumented obscure behaviour, I'd treat this system
> as compromised and act accordingly.
>
>
>>One shoe doesn't fit all nor does one situation/solution fit all.
>
>
> Filtering out postings from Leythos does fit. Well, maybe expect for
> himself.

I think you're on a few kill/hit lists yourself, don't you think with
the XP FW.

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

Leythos skriver:
> In article ,
> Anders+news@Arnholm.nu says...
>
> Actually, it makes complete sense - they built a product that provides
> X, Y, Z levels of performance, the hardware in the device is more than
> capable of providing the highest (Z) level of performance, but, people
> don't want to pay for that level, and it doesn't make sense to put
> slower components into a device, since the cost of electronic devices is
> about the same for this type of product...

That doesn't make sence, tio make the big high-capasity stuff is as
cheep as making the slow box. (Or actually cheeper.) But as they think
they can get more money from the big custumers that actually need the
moset they add functionality to lower the performace.

> If someone can't afford a level Z product, and they don't need a level Z
> product, why would you want them to pay for it at level Z. I think it's

If they then can get the Z level product for the price of thet Y
level, (with addiotnal software making it slower) one can easily
think thet the version with out the cripple software should have been
even cheeper to sell in the first place. To me a manifaturer that put
development cost into makeing the product work slower, with less
performace feels realy bad. I rather see that they put the work into
makeing it work faster.

> great that they provided a product that can be key upgraded without me
> having to buy a new appliance, without having to change my rule set,
> without having to take the network down for more than 30 seconds, etc...

Or the alöternative, you got the product from start with the best
perfomance and payed the lower price, you would have been even
happier.

/ Balp
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

Post removed (X-No-Archive: yes)

Re: hardware firewall buying

On Thu, 02 Nov 2006 20:29:51 GMT, Leythos wrote:

>In article <4qhkk2lfo6dk9ih0u8t77t7ih7a9l23096@4ax.com>, me@privacy.org
>says...
>> Are you going to tell your existing customers that the product you sold
>> them cannot possibly be considered as a firewall ?
>
>The products that have been recommended and purchase by the customers
>were certified at the time of purchase, with the same level of firmware
>running on them - nothing has changed that.
>
>Are you always unable to understand anything.

ROTFL! Au contraire, Oh I understand alright.

Watchguard products are *not* certified today, therefore by your assessment
they cannot possibly be firewalls period.

Prior 'certification' is meaningless and the claim it would be in breach of
ICSALabs small print.

and you are advocating *not* updating watchguard products with critical
bugfixes in order to 'comply' with an out of date meaningless test.

Have you told your customers that Watchguard products are unmaintainable ?

How much are you taking in support from customers whose watchguard products
you're refusing to patch.

If you have patched their watchguard products, have you told them, that the
enforcement points are not a real firewalls any more ?


greg

--
"He's raising an unholy army of singing dinosaurs!"

Re: hardware firewall buying

Leythos skriver:
> In article ,
> Anders+news@Arnholm.nu says...
>> If they then can get the Z level product for the price of thet Y
>> level
>
> The point is they provide a product at different levels, with different
> levels of performance, so that customers can purchase the level they
> need - this means that they can recover costs of development easier, but
> over a longer period, while still making the product viable to people
> that could not afford it otherwise.

The point is that they dor addional work to make it cheeper. The
cheeper version has more deveploment costs, the same hardware cost as
the full version. The additional feature added is an limitation of
what speed, number of simultainius conections and so on. I can't
understand the logic behind it. The only reason is to fit into some
market analyst idea of what customers need for speed.

Personally this kind of behaivour, keeps me recomending cheep open
source solutions for constomers that doesn't need anything very
special. That whay you can be sure that no-one added cripple
functionality to your software.

The funny thing is that the more "advancde" in terms of
software/hardware complexity is the cheepes, the less ciomplex version
costs more.
--
http://anders.arnholm.nu/ Keep on Balping

Re: hardware firewall buying

Post removed (X-No-Archive: yes)