Many years ago I was responsible for the selection of Gauntlet as our corporate firewall solution. The basis for my selection was some previous experience with the TIS FWTK (Firewall Toolkit),TIS's philosophy of opening the soucecode to the security community for public scrutiny, but more than anything else it was their basic minimalist principles that simpler is better.

It seems that their under NAI focus has shifted somewhat from this to compete with other products that offer more features (like content filtering), features I prefer to have running on separate downstream systems. I fully appreciate the value of the features, but I prefer a layered approach that allows me to employ best-of breed focussed solutions at each layer. Almost all of the costs associated with the solution is higher; multiple machines, admin costs, etc.., but as always it's balanced against the value of the intellectual property being protected. Years ago at a motorcylce safety course I took, the instructor was asked how much is appropriate to spend on a helmet. His response was "If you have a $50 head, get a $50 helmet. If you have a $250 head, get a $250 helmet". Good advice.

The firewall game alone is complex enough; I don't want a firewall that's a hi-tech bullet-proof glass door with fancy security features; I want a steel door with a big bar and a padlock.

Unfortunately, there don't seem to be many vendors out there that think this way anymore. The old FWTK on BSD is looking better and better.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/40/2053#2053