Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] Firewalling - Checkpoint
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Mon, 11 Dec 2000 21:33:34 +1100
  • Message-id: <>

Yes Checkpoint DOES exist for Linux, but it's a little unstable atm.
IMHO, if you are running a network of a size that requires Checkpoint
or Gauntlet, then the underlying OS is irrelevant.

My argument is that you should treat your firewall the same as your routers..
You don't run Windows OR Linux on your routers (Don't bother mentioning LRP, I know
it exists, but faceit, it's not used by BIG organisations) and therefore you
shouldn't bias yourself for your firewalls either. If you are going to run a
comercial firewall, with high throughput, then pick the one you (or your techs)
are trained on, and know how to work efficiently, and ask the vendor (and
associated mailing lists) which of the supported OS's is the fastest/most reliable,
and buy that.

I see too many companies in the course of my day job (as a security auditor/
consultant) who have an NT only policy, so they run Gauntlet for NT (which
is attrocious) or FW-1 for NT (Which is only marginally better) instead of the
much better option of them on Solaris or HP-UX/BSD.
Once again, if you are pumping enough data and have a complex enough network
that you require FW-1 or Gauntlet you should be running a failover system like
stonebeat between a couple of quad processor spacs, probably with two or
3 quad ethernet cards in them. When you build a system like this, you use
the best tools for the job, not "Linux cause I'm a linux nut" or "Windows
cause I'm a MS Monkey"
Reality is that Linux doesn't (yet) scale anywhere near as well as Solaris or
any of the other commercial "big" unicies. NT isn't even in the picture....

By all means, if you run a small network, ie, less than 10-15 live servers,
run linux, with something lie TIS Firewall Toolkit (
or Juniper Firewall Toolkit from (which was just
open-sourced btw) but remember that these are NOT as full featured
and will not scale as well as the commercial ones..
Linux and open-source is getting there, but a firewall is a VERY specialised
thing, and if you have not seen a "real" firewall and are under the misapprehension
that they are similar to what
tells you to build you would be ... a little from the truth.

Don't get me wrong, I think Linux as a GREAT OS, but if you want a big firewall,
you are going to run it on a sparc or a dedicated box like a PIX.
In either of those cases, why the hell would you want to put Linux on them?
Remember you do not EVER use a firewall as a client... So all the niceness
of linux is not important. It's simply how many packets can we inspect/drop/reject/
decrypt/rewrite/NAT without crashing/being compromised.

bah... obviously the last 8 hours I spent arguing with a mixed Linux/Mac/Windoze
network put me in a bad mode...


At 01:20 PM 8/12/2000 -0500, you wrote:
Moin Roman!

do you mean a commercial firewall solution? if so, you might have a look at

-- michael

Roman Ernst schrieb am Freitag, den 08. Dezember 2000:

> Does there already exist a solution like Checkpoint for Linux
> (stonebeat, failover, nice editing of rules,.......)
> Or is somebody working on such a solution???
> Roman Ernst
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >
This Thread