RE: [fw-wiz] Proverbial appliance vs software based firewall

Date: 10/15/02

Date: Tue Oct 15 11:47:34 2002

Hash: SHA1

> -----Original Message-----
> From: Jared Valentine []
> Sent: Tuesday, October 15, 2002 12:27 AM
> To:
> Subject: RE: [fw-wiz] Proverbial appliance vs software based
> firewall

While I usually agree with Pescatore's opinions I do not this time.
He is making a number of presumptions that are in my opinion flawed.

> I especially liked the quote:
> "Throwing more security software at a security problem that
> is caused by the
> essentially insecure nature of software is like going to a
> blind barber-it
> can only end badly and, more likely than not, bloodily."

If a vendor does not make any effort to either:

1. Acquire OS source code and modify it to secure it;

2. Take steps to modify the stack to intercept connection requests
before they reach the application layer;

3. Document steps to follow to "harden" the OS; or

4. All of the above

then I agree with this statement. But to state that throwing a
software solution at a security problem is a bad idea misses the

> While it is correct that all security comes down to "software" at
> some point, I would argue that hardware is much more secure. The

The problem is not with the software - the problem is with the
design. As you have said, design problems are not limited to just
"software". When you get down to it - whether it is an "appliance" or
"software based" solution - both come to life as code written by a

> difference
> between the two is that the hardware manufacturer can build
> off of a trusted
> base/OS. They can look at the OS line by line and strip out
> everything not
> essential for the operating of that firewall.

There are ways to mitigate the risk inherent with running on top of
an OS. Sun Microsystems will provide their source code (or at least
most of it), the same with most of the other *nixs out there. With
respect to Windows there are a number of methods to secure the
environment - one I am familiar with is to replace the stack with a
stack you have control over. I do tend to agree with you that using
Windows introduces a level of difficulty where using other operating
systems does not. However, there are plenty of vendors that do an
excellent job of getting it right.

> A software firewall doensn't enjoy the same operating
> environment. It lies
> on top of an inheriently unsecure general purpose operating
> system (ie;
> Windows), and therefore is subject to all of the
> vulnerabilities of that
> operating system.

True, but I have seen a number of "appliance" products that have had
similar problems.

> In recent weeks, bugbear has made the rounds. Bugbear was
> quite different
> than many viruses out there in that it disables software firewalls
> and antivirus software. I'm not recommending that anyone go
> without a software
> firewall or antivirus, but your best bet defense will be
> hardware if you
> wish to ultimately rely upon that solution. This hardware can be
> an external firewall appliance, or a PCI/PC Card firewall device
> located in the
> Server/Desktop/Laptop.
> With this in light, the future looks interesting with things like
> TCPA/Palladium. What if you could actually trust the
> operating system?!

I agree that using a "trusted OS" would not be a bad idea - but it
will only address part of the problem. In my opinion when you look at
a firewall - regardless of whether it is an "appliance" or a
"software based" product you have to consider the whole system. You
need to consider what steps have been taken to address operating
system issues, how does the policy engine and the stack handle all
types of connection attempts, how does the firewall interface with
the operating system - just to name a few.

When we test a candidate firewall product we tell the vendor up front
that they are responsible for the whole product - meaning hardware,
software and underlying operating system. Our position is that a
vendors choice of operating system should not effect the security of
the product. We will test for that and we will fail a product, and we
have, that is not secure - regardless of the root cause of the

Brian Monkman
Firewall Programs Manager
1000 Bent Creek Blvd., Suite 200
Mechanicsburg PA 17050
Phone:717.790.8141 Fax:717.790.8170
PGP Key ID: 0x7E54D5CD

Version: PGP 7.0.1


This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us