commercial solutions

This is the first article in the mini-series of two articles about Firewall Builder.

Systems administrators have a choice of modern Open Source and commercial firewall platforms at their disposal. They could use netfilter/iptables on Linux, PF, ipfilter, ipfw on OpenBSD and FreeBSD, Cisco ASA (PIX) and other commercial solutions. All these are powerful implementations with rich feature set and good performance. Unfortunately, managing security policy manually with all of these remains non-trivial task for several reasons. Even though the configuration language can be complex and overwhelming with its multitude of features and options, this is not the most difficult problem in my opinion. Administrator who manages netfilter/iptables, PF or Cisco firewall all the time quickly becomes an expert in their platform of choice. To do the job right, they need to understand internal path of the packet inside Linux or BSD kernel and its interaction with different parts of packet filtering engine. Things get significantly more difficult in the installations using different OS and platforms where the administrator needs to switch from netfilter/iptables to PF to Cisco routers and ASA to implement coordinated changes across multiple devices. This is where making changes get complicated and probability of human error increases. Unfortunately typos and more significant errors in firewall or router access list configurations lead to either service downtime or security problems, both expensive in terms of damage and time required to fix.

{ 11 comments }