RE: FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall" Routers

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 Jun 2004 01:06:00 -0700

> The thing is, "hardware" firewalls are pretty weak when it comes to true
> firewalling. The hardware firewall fans are still thinking of "opening
> ports" when the port based approach is no longer valid when it comes to
> protecting the network. You need stateful application layer inspection,
> strong user/group based authentication for all inbound and outbound
> connections, and the ability to adapt to threats based on more than the
> dumb*ss approach of "closing a port (like the moron ISP's are using to
> DoS legitimate secure Exchange RPC connections by blocking TCP 135).

Absolutely true. However, for a business that for whatever reason can not
afford the costs associated with the top-o-the-line best firewall that ISA
is, a dedicated hardware firewall is 2nd best, especially depending on what
the usage will be. 

Example, I just replaced an aging SonicWall Pro at a client with a new
SonicWall Pro 2040. For around $1.7K, they get an easy to administer solid
firewall with VPNs and easy logging with out 3rd party software. For another
$1K, they can get failover ISP and VPN support. This is a new feature, that
if the primary line goes down, the remote units will automatticcly failover
the active VPN tunnel to the secondary connection and the remote users never
new that a problem occurred. 

To equip a ISA server with similar features will be closer $4.5K or better,
and with a higher administration cost.

Now, I think everyone here knows were I stand on ISA. It is simply the
top-o-the-line firewall there is. 

However, you do not buy a Jaguar to pull a horse trailer around a cattle
ranch in the winter time.

Yes, I know a while back we were able to come up with a ISA box at a penny
under $2K, but that was a basic model.

John Tolmachoff
eServices For You

Other related posts: