RE: [fw-wiz] Proverbial appliance vs software based firewall

From: Ofir Arkin (ofir@sys-security.com)
Date: 10/14/02


From: "Ofir Arkin" <ofir@sys-security.com>
To: <bmonkman@icsalabs.com>, <mjr@ranum.com>, <allan_malig@yahoo.com>, <firewall-wizards@icsalabs.com>
Date: Mon Oct 14 19:43:45 2002

Don't let the nice shiny box, the "unique and proprietary ASIC design"
(which is sometimes a PC in a 1U), the nice brochures and the special
price (just for you) to fool you.

Usually, performance wise, there is no difference at all.
Examining the Security of an "Appliance" versus a "Software" solution -
it all depends on the vendor.

Personally, I like the appliance approach better. MJR gave the reason
already :P

Yours,
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
bmonkman@icsalabs.com
Sent: Monday, October 14, 2002 7:34 PM
To: mjr@ranum.com; allan_malig@yahoo.com; firewall-wizards@icsalabs.com
Subject: RE: [fw-wiz] Proverbial appliance vs software based firewall

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From a security point of view, that has been our experience at ICSA
Labs as well. There are plenty of reasons to consider an "appliance"
firewall over a "software based" firewall. But when it comes to
security, "appliance" firewalls do not have any advantage over
"software based" firewalls. There are plenty of vendors on both sides
that get it right. Just as there are vendors on both sides that get
it wrong.

And I won't get into the discussion on how to choose what is best for
you. One size definitely does not fit all. There are plenty of people
here much smarter then myself that have recently made excellent
suggestions on how to make that choice. A search of the Firewall
Wizards archive will help.

Best regards,

Brian Monkman
Firewall Programs Manager
ICSA Labs
1000 Bent Creek Blvd., Suite 200
Mechanicsburg PA 17050
Phone:717.790.8141 Fax:717.790.8170
www.icsalabs.com
PGP Key ID: 0x7E54D5CD

- -----Original Message-----
From: Marcus J. Ranum [mailto:mjr@ranum.com]
Sent: Monday, October 14, 2002 1:16 PM
To: Dominic Malig; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Proverbial appliance vs software based firewall

Dominic Malig wrote:
>any updates on the
>proverbial firewall appliance vs software firewall
>'which is better' discussion(aside from the usuals re
>hardened OS, cost, etc.)

It amazes me that the topic comes up at all!!! :)

Inside every "appliance" is an operating system. Inside
every ASIC or "embedded processor" is software. There's
really no difference other than the packaging. I like
the "appliance" approach because it lets the vendor
guarantee a compatible and well-balanced hardware/software
solution. But it amazes me when someone says "well, it's
an appliance so it must be more secure/reliable/faster"
uh. no.

mjr.
- ---
Marcus J. Ranum http://www.ranum.com
Computer and Communications Security mjr@ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPasA3qMpP5h+VNXNEQLEQgCgzpFta9syKrOlZA4Y9dn5XOVQrlgAn13Q
Tltpsq6AfgdbjLjrA39Satgn
=G84s
-----END PGP SIGNATURE-----

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************



Relevant Pages

  • RE: fedora as a gateway / server
    ... don't like to have web service clogging up their DSL lines. ... services could be used to kill the firewall. ... distribution or copying of this communication is strictly prohibited. ...
    (Fedora)
  • Re: Firewall for VMS / TRU64
    ... >}for up to 254 client computers. ... >}Think of a firewall also as a circuit breaker. ... >}the network is much better than having your computer do so. ... is that the appliance is dedicated to one specific type of task. ...
    (comp.os.vms)
  • Re: searching for hardware firewall with web history
    ... it is marketed as an appliance... ... >hardware in it and the OS is some sort of BSD derivate. ... >> indicate that Astaro is a software firewall. ... Wrong, marketing speech and technical ...
    (comp.security.firewalls)
  • Re: ISA Server or Firewall Appliance?
    ... > is ISA server enough to use as a firewall (along with all of the other ... > Of course the ISA server would sit facing the internet, ... What you have to bear in mind here is that an appliance is, generally, a ... top of, with a proprietary operating system (typically based on freebsd, ...
    (Focus-Microsoft)
  • RE: ISA Server or Firewall Appliance?
    ... I've been using ISA 2004 on a box that's been facing the internet since it's ... I've run other firewall "appliances" as well ... ISA Server or Firewall Appliance? ...
    (Focus-Microsoft)