Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Ryan M. Ferris (rferris@rmfdevelopment.com)
Date: 10/15/02 

From: "Ryan M. Ferris" <rferris@rmfdevelopment.com>
To: "Gary Flynn" <flynngn@jmu.edu>, <firewall-wizards@honor.icsalabs.com>
Date: Tue Oct 15 15:12:32 2002

I think what is missing here from this discussion is a more serious debate
on the inherent security differences between monolithic kernels and
micro-kernels. Or perhaps real-time versus non-real time OS.

I agree "Appliance" is a meaningless term - I've worked on three different
appliances each with a different version of a different customized
monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD). Someone could ship
you embedded NT in a toaster oven and call it secure.

What is not meaningless to security and function is kernel size,
functionality, hardware access levels. Gigabit throughput is still best
achieved by a switched bus architecture and custom ASICS or other real-time
micro-kernel OS. The shared bus archictecture of even the fastest PCS and
gigabit NICs will never be a match for dedicated hardware in processing
traffic. There are many security applications where monolithic kernels
/non-real time OS will just not be appropriate: You can tick them off in a
big list but imagine some critical scenarios:

You are an NSA Analyst, monitoring traffic from multiple backbones that has
be "muxed" or results from the parallel mirroring, spanning of many WDM
optical switches - i.e. terabit amounts of information flow. The distributed
systems needed to process such traffic on PC based sytems would be immense
in number. You would probably opt for hardware based solutions as they would
be more easily centralized.

You are a major corporation (50K computer users) that wants a single or
minimum access points for all proxied or firewalled traffic. How could you
use a PC based firewall for this purpose without using many firewalls?

Part of your security requirement is the ability to handle multiple flooding
type attacks (i.e. DOS, RDOS, DDOS, etc) with low risk of reboot or network
congestion. What you opt for is gigabit switch architecture in your firewall
not a shared bus PC architecture because you don't believe a Gigabit NIC on
a shared bus archictecture can outperform an ASIC.

Obviously, the question becomes more confusing when you start putting $ 16K
NICS with their own OS and memory into a PC.

Ryan M. Ferris
rferris@rmfdevelopment.com

Ryan M. Ferris
rferris@rmfdevelopment.com

----- Original Message -----
From: "Gary Flynn" <flynngn@jmu.edu>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Tuesday, October 15, 2002 9:27 AM
Subject: Re: [fw-wiz] Proverbial appliance vs software based firewall

> Anton Aylward wrote:
> >
> > On Tue, 2002-10-15 at 00:26, Jared Valentine wrote:
> > >
> > > While it is correct that all security comes down to "software" at some
> > > point, I would argue that hardware is much more secure. The
difference
> > > between the two is that the hardware manufacturer can build off of a
trusted
> > > base/OS. They can look at the OS line by line and strip out
everything not
> > > essential for the operating of that firewall.
>
> So could some customers and they could do it with their specific
> needs in mind.
>
> > I think that you "DON'T GET" Marcus's comment.
> > Hardware in this sense is still software - embedded systems.
> > Nothing in the Gartner paper contradicts that.
>
> Another way of looking at it is the difference between software
> installed and configured by the vendor vs software installed
> and configured by the customer...or maybe even proprietary vs
> open source (sorry, couldn't resist).
>
> The effectiveness probably depends on the needs and capabilities
> of the target market. I'm sure NSA would like the opportunity
> to inspect and tune their own kernel and OS configuration while
> a small company consisting mostly of web developers would rather
> leave that chore to the vendor (and therefore trust them with
> their security).
>
> One could make similar arguments either way for "appliance" web
> servers, mail servers, or other turn-key systems.
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • RE: [fw-wiz] Proverbial appliance vs software based firewall
    ... "Software security is soft security: Hardware is required." ... A software firewall doensn't enjoy the same operating environment. ... on top of an inheriently unsecure general purpose operating system (ie; ...
    (Firewall-Wizards)
  • Re: Good Firewall for Standard SBS2003
    ... Superior security is seperating the LAN from the WAN, ... this unless the hardware firewall has supports seperating LAN from WAN. ... It's relatively inexpensive (to upgrade to SBS Premium) - and you won't ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall recommendation ?
    ... I am confident in ISA doing it's job, ... a result I have a very high standard security wise, ... Most of the SBS clients I have use a hardware ... >> Adding a hardware firewall does increase security, ...
    (microsoft.public.windows.server.sbs)
  • RE: suggestions on a good firewall
    ... for a hardware based firewall such as the Cisco PIX, the Sonicwall, the ... hardware firewalls generally have Application Specific ... commercial products such as Cisco, Sonicwall, Raptor, and Checkpoint all ... Bottom line - if you really know what you are doing from a security ...
    (Security-Basics)
  • Re: Firewall recommendation ?
    ... firewall will most likely get caught on the second one. ... greater security than two PIX or Checkpoint firewalls. ... You can always bypass the failed hardware ... >> If he wants to add a hardware firewall in addition to his ISA system I ...
    (microsoft.public.windows.server.sbs)