Re: Firewall for VMS / TRU64
From: DL Phillips (ka2doug_at_cs.commoc.sc)
Date: 05/28/03
- Next message: Rob Young: "Re: New MiniMerge capability"
- Previous message: JF Mezei: "Re: SYS$QIOW - Performance Issue"
- In reply to: Carl Perkins: "Re: Firewall for VMS / TRU64"
- Next in thread: Phil Ottewell: "Re: Firewall for VMS / TRU64"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 May 2003 20:38:57 GMT
Carl Perkins wrote:
>"John E. Malmberg" <Malmberg@dskwld.zko.dec.compaq.hp> writes...
>}DL Phillips wrote:
>}>>Hoff Hoffman wrote:
>}>>
>}>>> The maintenance of a firewall is a large and specialized engineering
>}>>> project, and purpose-built dedicated (and commodity) firewall server
>}>>> appliance boxes provide a highly economical and effective solution
>}>
>}> I believe Mr. Hoffmans's post said "appliance" firewalls. I take that to
>be
>}> something like the WatchGuard brand boxes (not a reseller, just a user)
>which
>}> you can buy on the low end for under US$400.00 for up to 10 client
>computers. I
>}> read his post to say that he did NOT recommend a software solution running
>on
>}> any general purpose system. Also, that such an effort would not likely be
>}> profitable.
>}
>}The low-end firewall appliances sell in the U.S. for $30.00 and up, and
>}typically have 4 10/100 taps, and the ability to do network translation
>}for up to 254 client computers.
>}
>}I may be wrong about this next statement because it has been a while
>}since I looked at prices for other than the home router market:
>}
>}There appears to be heavy competition in the firewall/router market
>}right now, and it does not appear that any general purpose operating
>}system would be an economical replacement for a dedicated router that
>}can handle the same load.
>}
>}Think of a firewall also as a circuit breaker. Any system can fall down
>}to a denial of service attack. Having a firewall handle the noise of
>}the network is much better than having your computer do so.
>}
>}-John
>}malmberg@dskwld.zko.dec.compaq.hp
>}Personal Opinion Only
>
>For home or small office use, such a thing might be good.
>
>For larger networks it is useless.
>
>Consider a network with over 25,000 devices on it that is connected
>to the outside world via a pair of OC-3 (155Mb/sec) lines. I think
>you'd find the firewall you describe to be, shall we say, inadequate.
>
>This is not unlike the TAMU network.
>
>Something is used for the higher end. At this point it is apparently
>Unix systems that are used for this. I'm pretty sure that this is
>what TAMU is using - a Unix system that is running, I think, custom
>software written here.
>
>--- Carl
>
I've lurked around here for enough years to believe you're not suggesting one
should run the primary firewall(s) on the same computer(s) running business
critical apps, are you? Aren't you just saying that a Low end box won't always
do the job? Your example of a University network would certainly take High end
appliances to handle the load. Universities and Schools are a special case,
though, and usually have more available talent than available funds to address
this type of problem. Really, there's rather a limited commercial market at
that level and though the list of potential customers isn't very long but there
is stiff competition for the business. Anyway, there are appliance solutions
available for any sized need. How much do you want to spend?
The difference between an "appliance" and a "general purpose" system, as you
know, is that the appliance is dedicated to one specific type of task.
At the appliance level, the best OS is the one that will do the job with the
least amount of overhead. So, if you could manage to take out all of the things
VMS has that you don't need to run a Firewall, then add in the things it
doesn't "come with" that you do need, what sort of competitively marketable
product would you end up with?
As well as the "Big" appliance firewalls, many of the decent "little"
appliances I've seen use some type of *nix, too. The thing about *nix is you
can whittle it down to just exactly what you need to run an appliance
application. Even if you could trim VMS down to the appliance level, you would
have thrown out most of its "advantages", you'd still have to pay the damned
license fees, it wouldn't run on an inexpensive "commodity" CPU and it would
cost more than its competition (whose products have been evolving while we've
been reinventing the wheel --- hmm, why does that sound familiar?)
Okay, the firewall box might run *nix, but I don't have to even know that
because it's an appliance and its job is to run the firewall software and that
is the deepest layer I *need* to worry about. Routing and VPN are natural
extensions to a firewall application, add little overhead to the lean and cheap
OS and many appliances come with those features, too.
Give me something that does the job it's meant to do, is reasonably priced,
easy to buy, logical to use and maintain and for all I care the box could be
running any CPU & OS as long as it'll handle my needs. It really doesn't
matter.
DL Phillips
It's the application. It's the application.
It's the application. It's the application.
It's the application. It's the application.
It's the application. It's the application.
It's the application. It's the application.
Note: the above is not a signature, it is an editorial statement and
may or may not appear on future postings assuming there are any.
- Next message: Rob Young: "Re: New MiniMerge capability"
- Previous message: JF Mezei: "Re: SYS$QIOW - Performance Issue"
- In reply to: Carl Perkins: "Re: Firewall for VMS / TRU64"
- Next in thread: Phil Ottewell: "Re: Firewall for VMS / TRU64"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
