From owner-freebsd-security  Sat Oct  7 23: 8:11 2000
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP id 6C28C37B503
	for <freebsd-security@freebsd.org>; Sat,  7 Oct 2000 23:04:58 -0700 (PDT)
Received: from localhost
	([127.0.0.1] helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 13i9k6-0000Nt-00; Sun, 08 Oct 2000 00:15:27 -0600
Message-ID: <39E010FE.8CAA2CB1@softweyr.com>
Date: Sun, 08 Oct 2000 00:15:26 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Gregory Sutter <gsutter@zer0.org>
Cc: Craig Cowen <craig@allmaui.com>,
	"freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: Check Point FW-1
References: <39DEBB51.E51BACFB@allmaui.com> <20001006230628.L23587@klapaucius.zer0.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Gregory Sutter wrote:
> 
> On 2000-10-06 22:57 -0700, Craig Cowen <craig@allmaui.com> wrote:
> > The big cheeses at work want to use check point instead of ipf or any
> > other open source solution.
> > Can anybody help me with vunerabilities to this so that I can change
> > thier minds?
> 
> Go search the Bugtraq archives at http://www.securityfocus.com/ for
> lots of Checkpoint fun.

FW-1 sucks.  Mumble mumble NDA mumble mumble can't say any more mumble 
mumble mumble.  "Oh God, and I thought these smelled bad on the outside."

There are several commercial firewall products based on FreeBSD (or, shudder,
Linux) that are better tools in the hands of someone who will take them to
educate themselves.  A BSD box running ipfilter or ipfw is very straight-
forward to secure, and offers reasonably easy tools for remote configuration
like ssh.

Others have mentioned a couple of commercial alternatives; add NetMax and
GnatBox (right?) to this list.  Also, be sure to get a copy of my paper
for BSDCon explaining why my company decided to use BSD and ipfilter to
build the firewall of the future on.  (Sorry, it's not a corporate firewall
and is not suited for your use.)

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message