And the best firewall is...

Ex_Navy_Dude

Not sure if this really WTF enough for a side bar but, hey, you gotta start somewhere:

Whenever techs are asked to rank the best Product X of Catagory Y you always get a fierce debate and websites always like the publish surveys of that as good way to draw visitors, right? So, here's a Readers Choice Survey about firewalls. Most people would expect to see Cisco, Juniper, and another handful of hardware devices in the top five and everyone would quibble about the adavantages of each.

Well, not this one:

1. Microsoft Internet Security and Acceleration Server 2006
2. Symantec Endpoint Protection
3. Who cares... this survey must have been straight from the Microsoft marketing department

ISA? WTF! A software firewall with diddly-squat for documentation is the winner? The only firewall where publishing an SSL website is a 45 minute, 80-click process is the "readers choice"? The readers of this website must be a little masochistic or something...

morbiuswilters

@Ex-Navy Dude said:

A software firewall with diddly-squat for documentation is the winner?

All firewalls are software firewalls.  "Hardware firewall" used to mean a dedicated, simple device but most modern hardware firewalls are complex affairs that are more prone to software bugs and most "software firewalls" run on beefy machines that have no trouble keeping up with load.

 

That said, maybe the lack of documentation is a feature.  After all, if the bad guys take over your firewall you don't want it to be easy for them to figure out how it works. 

fyjham

@morbiuswilters said:

That said, maybe the lack of documentation is a feature.  After all, if the bad guys take over your firewall you don't want it to be easy for them to figure out how it works.

Hey, let's do this with our database designs. If we design a weird enough database then we don't have to worry about SQL injection cause they won't know what to do if they get access! :)

Farmer_Brown

It is obvious the OP has no idea what MS ISA server is or how it works. I think we can all just move on...

Farmer_Brown

@fyjham said:

@morbiuswilters said:

That said, maybe the lack of documentation is a feature.  After all, if the bad guys take over your firewall you don't want it to be easy for them to figure out how it works.

Hey, let's do this with our database designs. If we design a weird enough database then we don't have to worry about SQL injection cause they won't know what to do if they get access! :)

Wait are you taking anything the resident troll says seriously? I think we can all safely assume morbiuswilters has no idea what security through obscurity even means...
Just look at his lame troll posts.

Weng

Hardware firewall is the colliquial term for "box you shove into a rack" regardless of how much horsepower it has

Software firewall  is the colliquial term for "piece of shit software you install on the client"

TRWTF is that Symantec Endpoint Protection, which from what I understand (from a distance) is clientside is ranked against ISA, which lives on your... Windows Server router box (which I can see in crap SMB environments - router, DNS, DHCP, DC, fileserver, all in one box, typically backed up with hopes and prayers) 

Count

 @fyjham said:

Hey, let's do this with our database designs. If we design a weird enough database then we don't have to worry about SQL injection cause they won't know what to do if they get access! :)

 

 

 In one company I was sold to I was responsible of moving an IBM iSeries machine to a offsite hosting facility where we had a private rack and a connection to the internet. The iSeries had been (and still was) administered over telnet and had still some default passwords (QSECOFR, anyone?) no one had bothered to change. The rack had been housing some Linux boxes I also maintained which had their firewalls tightened up so I hadn't seen the need to add a firewall in front of them. But telnet access, default passwords, egads. So I went to The Boss and asked if we shouldn't buy and install a firewall to protect the iSeries machine. He said that it isn't necessary, since even if someone would manage to log in, they wouldn't be able to figure out what to do with the thing! 

 

At the end sanity prevailed and a firewall was bought and installed and administration was then done over VPN. Not long afterwards I changed jobs...

 

Ex_Navy_Dude

@Farmer Brown said:

It is obvious the OP has no idea what MS ISA server is or how it works. I think we can all just move on...

I have put up with a ISA 2000, ISA 2004, and now ISA 2006 Enterprise (clusters, configuration store, the whole bit). I am normally the guy who has to come in and figure out how it works after the orginal guy has left so that might warp my perceptions a bit. However, I would take any other firewall, even a low end SonicWall, over ISA any day. Of course, I'd take a Juniper, WatchGuard, or Cisco over a SonicWall.

Daid

This is ISA:
[img]http://upload.wikimedia.org/wikipedia/commons/thumb/0/0b/ISA_Bus_pins.png/300px-ISA_Bus_pins.png[/img]
And get off my lawn!

Lingerance

@Ex-Navy Dude said:

I have put up with a ISA 2000, ISA 2004, and now ISA 2006 Enterprise

I've worked with ISA 2004 for a short bit, I found the most infuriating aspect of it being the work window being eaten up by essentially useless frames (like HTML style ones), one being used just to display the logo. Apparently that's a new "feature" in ISA 2004, but I was wondering does it still exist in 2006?

Never got to really play around with it though, apparently it can automatically configure firewall settings for clients, which is probably why it's high up on the list.

shepd

 Man, if you're going to list software firewalls, you could at least include some of the ones most people use, like iptables, or even pf.

 There's a LOT more people using iptables than most products on that list.  In fact, from my experience, there's more people unwittingly using iptables than there are people using whatever firewall windows XP/vista comes with.

Steeldragon

 I know this is a non-WTF, but i haven't had a single problem with Commodore Pro, which is a free firewall.

tgape

That URL is at www.windowsecurity.com - which probably guarantees the selection bias you noticed.  I would expect many of the readers who responded have probably only used one of the listed products.  Further, most of the readers would probably answer the question even though they've only used one of the products listed, due to training on surveys that don't let you complete it if you haven't answered all of the questions.  (This could have even been such a survey.)

wf_tmro

Hello everyone, before you start a jihad about the best firewall I'd like to remind you that this is a "reader's choice" survey. So the first in the list is there because it is the most popular which definitely doesn't mean it is the best or the worst just, well, most frequently used. Same as VB is the most popular programming language and Windows is the most popular OS.

morbiuswilters

@Ex-Navy Dude said:

@Farmer Brown said:

It is obvious the OP has no idea what MS ISA server is or how it works. I think we can all just move on...

I have put up with a ISA 2000, ISA 2004, and now ISA 2006 Enterprise (clusters, configuration store, the whole bit). I am normally the guy who has to come in and figure out how it works after the orginal guy has left so that might warp my perceptions a bit. However, I would take any other firewall, even a low end SonicWall, over ISA any day. Of course, I'd take a Juniper, WatchGuard, or Cisco over a SonicWall.

He's baiting you, just hoping to derail the thread with flaming.  Ignoring him will deprive him of that and is probably the best way to deal with the situation.

morbiuswilters

@Weng said:

Hardware firewall is the colliquial term for "box you shove into a rack" regardless of how much horsepower it has

Software firewall  is the colliquial term for "piece of shit software you install on the client"

I know this is how the terms are generally used, but it's not how they were being used here.  iptables, ipfilter or packet filter running on a desktop machine is very close to what runs on a Cisco "hardware firewall" but would you consider it a software firewall?  What about a dedicated Windows router box running ISA?  My point is that the terms are increasingly meaningless because a turnkey rackable firewall often runs the same software a client machine does and ISA also assists in bluring that line.  It seems people try to use "software firewall" as a put-down but that's a cop-out and in this day and age we need to start assessing firewalls based on where they are used, what features they provide and the reliability of those features.