Comments on: Google and Firewalls, round one

By: Steve Cassidy

Steve Cassidy — Wed, 07 Oct 2009 13:58:31 +0000

For the purposes of this conversation, IPCop and Smoothwall and Monowall are indistinguishable from a hardware firewall, because they are a single-purpose ‘box’ which happens to live on a PC hardware platfrom. Even when virtualised, they still have only one purpose. I guess the most remarkable difference is that they are eaily obtained by crackers for attack attempts in peace and quiet, whereas a hardware box is less easily obtainable.

By: Nick

Nick — Wed, 07 Oct 2009 13:53:10 +0000

What makes a hardware firewall different from a “software” firewall? For example a WatchGuard is running a custom software build, as is the SonicWall.

Are they any better (and in which ways) than a completely software firewall such as IP Cop?

By: Steve Cassidy

Steve Cassidy — Mon, 05 Oct 2009 17:12:09 +0000

Interesting! My experiences are the reverse of yours, almost. I find WGs just run, pretty much forever, and I hugely prefer their config upload architecture in the bigger boxes. Sonics run for a long time, but there comes a point where they start not quite doing what the web interface says they are doing…

By: Gavin Moorhouse

Gavin Moorhouse — Mon, 05 Oct 2009 16:22:56 +0000

I find ISA a robust, but highly complicated product.

Sonicwall and Draytek are both superb, they just work and do what they are told without any fuss.

However I find WatchGuards to be unreliable as they always need rebooting for no reason. I’m talking about the Edge series in particular.

By: Steve Cassidy

Steve Cassidy — Mon, 05 Oct 2009 14:34:07 +0000

AD integrated logging isn’t really that necessary in small networks – IP address based logging covers most of the bases, and Draytek et al have Syslog for that level of detail.

I don’t like routers doing the firewall job because it blurs their role, and because they have fairly primitive operating systems. I think it’s much better to buy into something that has shrunk down from the rocket-science world, rather than something that is trying to be just 10% smarter than a modem. Besides, as I have pointed out in a recent column, my last dedicated hardware firewall that saved my bacon, I bought on ebay. For £6…

By: Mike Clarkson

Mike Clarkson — Mon, 05 Oct 2009 13:57:35 +0000

Thanks for your reply. I guess the last piece in the jigsaw would be why you don’t seem to like a NAT router doing that job? (with the emphasis on *small* businessess). For what it’s worth, I’ve had good experience of ISA – where it wins quite well is its web and server publishing rules – it’s good and easy for handling e.g. multiple internal sites on one server. And for logging integrated with AD – I guess Draytek et al do that, but not sure?

By: Steve Cassidy

Steve Cassidy — Mon, 05 Oct 2009 13:09:25 +0000

MS ISA is a funny one. On the one hand, they are extremely clear that it’s exceptionally secure: on the other hand, I think that the places which deploy it are Goldilocks configurations – it has to be *just right* and the things that can make it wrong, are nothing to do with the tech merit of ISA.

My strongest reason for hardware firewalls (as distinct from ISA) is that I don’t want to reboot the server with 10 other jobs to do, just to implement a firewall feature change. With a Watchguard, Sonicwall or Draytek, I can alter those settings and none of the workers have any idea it’s happened.

But you are right – there could be a proper article in this!

By: Mike Clarkson

Mike Clarkson — Mon, 05 Oct 2009 12:55:40 +0000

Maybe I’ve missed an article on why hardware firewalls are so necessary? (and what you mean by firewall…). And I wonder where MS ISA fits in, in your view?

On the Google Calendar issue, I’ve not seen anything you describe – I’m using the Calendar feature of Gmail (not signed up to Google Apps or anything posh like that), and can see an Import calendar from file feature – does it only start hunting after you use that?