Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Anton Aylward (
Date: 10/15/02

From: Anton Aylward <>
Date: Tue Oct 15 15:12:18 2002

On Tue, 2002-10-15 at 12:27, Gary Flynn wrote:
> Another way of looking at it is the difference between software
> installed and configured by the vendor vs software installed
> and configured by the customer...or maybe even proprietary vs
> open source (sorry, couldn't resist).

Somewhat, yes.
In the case of my car, the dozen or so microprocessors that control the
engine, the brakes, the climate control and even the rear-view mirror
are completely embedded. They were designed by the vendor and
configured by the vendor and I have no control over the software. The
interface they present emulates the interface of the pre-computer
version: the pedals, the buttons on the dashboard. If I didn't "know"
there was a computer in there I wouldn't know.

But when it comes to things like firewall appliances and switching hub
appliances, we get sort of fuzzy. In one sense it is still installed
and configured by the vendor, its not a general purpose computer. Even
the firewall with the keyboard and scree (albeit via a web interface
perhaps) running on a hardened OS on a commodity PC chassis is like
that. Its no more a general purpose application level computer than the
computers in my car, even though they all have the same kind chips made
by Intel.

With my car brakes, the only control I have is how hard I apply them.
You may argue that is not a configuration control. With my radio I have
more degrees of freedom, but I am still constrained by the set of
options that the vendor has designed into the "appliance" and the
software supporting them.

The GUI interface of something like FW-1 makes the constraints very
clear. Each "cell" has a limited number of allowable states. In that
sense, its just my car radio writ big. "On/off"; one of a finite number
of numbers; one of a fixed set of allowable states.

Time was that such simple appliances such as radios and pocket
calculators (I don't mean the programmable ones) had easy to access
bugs. I had one which had and alarm clock in it. Heck, all that
processing power was cheap, just chip real-estate. But if you performed
a certain calculation, it reset the clock and sounded the alarm in such
a way that it could only be stopped by removing the battery.

The advantage that radios and calculators and watches have over cell
phones and firewalls is that they are much smaller state machines.

Even non-programmable state machines have bugs. The old M68000 was not
microprogrammed but had the wondrous "Stop and catch fire" instruction
that triggered a fault in its state machine. Lets face it, purely
mechanical appliances are clearly - sorry - state machines. The "good
software" we are calling "Object Oriented" is essential stateful. But
that doesn't guarantee any degree of correctness. Some human though up
the design in the first place, and humans are fallible.

But don't be fooled. Marcus was right. Under the hood its still


     \ / ASCII Ribbon Campaign
      X  Against HTML Mail
     / \