Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Paul D. Robertson (
Date: 10/16/02

From: "Paul D. Robertson" <>
To: Christopher Hicks <>
Date: Wed Oct 16 09:20:02 2002

On Wed, 16 Oct 2002, Christopher Hicks wrote:

> death importance, so I personally don't think the 'appliance' label
> applies to any firewall or security product in existance.

That battle has been lost...

> > What is not meaningless to security and function is kernel size,
> The size of the code of the whole firewall is important. People can
> easily make a tiny kernel (ding, a microkernel) and push all of the
> functionality out into modules. So, realistically you have to look at the
> entire code size to determine if they've made it adequately simple.
> Somebody should do a study of how simpler firewalls are less likely to
> break, but the vendors would be reticent to admit to their code size and
> it'd be hard to verify their answers if they were 'willing'.

Then again, another study of how folks who rewrite their own
implementations tend to recreate "solved" problems would be about as
interesting. While writing an OS that's designed to host the firewall
from the ground up isn't necessarily a bad thing, threading, memory
management, frag handling, packet ordering, NIC drivers, sequence number
handling and all the other stuff that needs doing is easy to make mistakes

If you need to suddenly process a bunch more users because of say, an
acquisition- you can't just move the software on an appliance to a larger
box (granted, most IP things scale better horizontally than vertically,
but some things tend to have to have vertical scale points if they're
rushed into.) If you're doing proxies, and you want to add a new "cool"
thing that's totally necessary to the business' moving forward, you're not
going to be able to do that on a non-general purpose OS very easily.

That doesn't mean "appliance" firewalls aren't really useful, but it does
mean that like everything else, there are trade-offs and that's why I
still think firewall selection is something that requires not limiting
ones self to any particular catetory (appliance, non-appliance, SOHO,
personal...) without significant analysis.

As Mikael pointed out, the appliance code doesn't have to necessarily run
on an appliance too, so the distinction may be arbitrary in some

Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: searching for hardware firewall with web history
    ... it is marketed as an appliance... ... >hardware in it and the OS is some sort of BSD derivate. ... >> indicate that Astaro is a software firewall. ... Wrong, marketing speech and technical ...
  • Re: Firewall for VMS / TRU64
    ... >}for up to 254 client computers. ... >}Think of a firewall also as a circuit breaker. ... >}the network is much better than having your computer do so. ... is that the appliance is dedicated to one specific type of task. ...
  • Re: ISA Server or Firewall Appliance?
    ... > is ISA server enough to use as a firewall (along with all of the other ... > Of course the ISA server would sit facing the internet, ... What you have to bear in mind here is that an appliance is, generally, a ... top of, with a proprietary operating system (typically based on freebsd, ...
  • RE: ISA Server or Firewall Appliance?
    ... I've been using ISA 2004 on a box that's been facing the internet since it's ... I've run other firewall "appliances" as well ... ISA Server or Firewall Appliance? ...
  • Re: Hardware vs Software Firewall - Pros and Cons?
    ... Now the problem is how to define a firewall appliance ... ... (Layer n refers to the OSI model). ... A more buzzworded firewall is a stateful packet filter with deep inspection. ...