cipherdyne.org

Michael Rash, Security Researcher



iptables vs. Check Point Firewalls

iptables vs. Check Point Firewalls In October, 2003, I wrote an article entitled "Firewalls: Doing it Yourself" for Information Security Magazine. It looks like the original link to the article has been taken down, so I have mirrored it here for anyone who would like to read it. This article is now four years old, and needs to be updated to cover new features in firewalls provided both by the Linux community (iptables) and by Check Point Software Technologies. A few things stand out in my mind since writing the original article:
  • It appears as though Vyatta is providing an open source routing stack as a competitor to Cisco's products, and this is serious competition to the Zebra project mentioned in the article. Zebra is no longer actively developed as it has been reincarnated as the Quagga Routing Suite.
  • These days, application layer inspection in firewall products is much more important as the number of application security vulnerabilities shows no sign of letting up, and high profile incidents of everything from phishing attacks, client side exploits, and identity theft continue to make the news. The iptables string match extension is a strong open source answer to providing application layer inspection for iptables firewalls.
  • Proprietary intrusion prevention systems (such as the Enterasys Dragon IDS/IPS - disclaimer: I work for Enterasys) are building in features that place more emphasis on filtering policies; a job that is typically done with a firewall or other filtering device that is designed to enforce policy.
  • The open source community has continued to make meteoric strides in the last four years, and now purchasing support for open source software is easier with large corporate backers than it was four years ago. Also, open source software is now understood much better by non-techies as an infrastructure that can greatly assist just about any organization, and this applies to security software as well as more traditional software.