Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Christopher Hicks (
Date: 10/16/02

From: Christopher Hicks <>
To:, "Ryan M. Ferris" <>
Date: Wed Oct 16 08:02:49 2002

On Tue, 15 Oct 2002, Ryan M. Ferris wrote:

> I agree "Appliance" is a meaningless term - I've worked on three
> different appliances each with a different version of a different
> customized monolithic kernel OS (W2K SAK, RH Linux 7.0, OpenBSD).
> Someone could ship you embedded NT in a toaster oven and call it secure.

To me personally an appliance is something that would be developed using
real time techniques. My experience with real time comes from being
involved with some industrial controls projects a few years ago. For
those guys there's a clear life&death corrolation to getting it right.
Failsafes are built-in. Testing was impressively thorough. I doubt any
firewall vendors look at things as if their reliability is of life and
death importance, so I personally don't think the 'appliance' label
applies to any firewall or security product in existance.

> What is not meaningless to security and function is kernel size,

The size of the code of the whole firewall is important. People can
easily make a tiny kernel (ding, a microkernel) and push all of the
functionality out into modules. So, realistically you have to look at the
entire code size to determine if they've made it adequately simple.
Somebody should do a study of how simpler firewalls are less likely to
break, but the vendors would be reticent to admit to their code size and
it'd be hard to verify their answers if they were 'willing'.

> Gigabit throughput is still best achieved by a switched bus architecture
> and custom ASICS or other real-time micro-kernel OS. The shared bus
> archictecture of even the fastest PCS and gigabit NICs will never be a
> match for dedicated hardware in processing traffic.

Bull. I heard the same things about 10M and 100M. PC's will catch up.

> You are an NSA Analyst, monitoring traffic from multiple backbones that
> has be "muxed" or results from the parallel mirroring, spanning of many
> WDM optical switches - i.e. terabit amounts of information flow. The
> distributed systems needed to process such traffic on PC based sytems
> would be immense in number. You would probably opt for hardware based
> solutions as they would be more easily centralized.

Bah. Look at all the linux-based supercomputers based on myranet and
such. If you're doing communications analysis your biggest need is GOBS
of CPU power. If you're starting with a fixed number of dollars, you're
going to get more CPU sooner with the latest off-the-shelf hardware than
playing with ASIC's. Of course if you're the NSA you might augment those
systems with custom cards that do specialized processing, but that card is
still more likely to be a PCI card going into a PC motherboard than a
custom bus on a custom computer.

> Obviously, the question becomes more confusing when you start putting $
> 16K NICS with their own OS and memory into a PC.

Don't you think if there's a market for $16k NIC's that someone will
realize there's a much bigger market for $10k NIC's? And so on. ASIC's
are beautiful, but for most people they're beyond affordability.
Commodity hardware will show up to fill the need for the rest of us before

The truth is rarely pure, and never simple.
	-Oscar Wilde, writer (1854-1900)

Relevant Pages