Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Marcus J. Ranum (mjr@ranum.com)
Date: 10/26/02


To: "Paul D. Robertson" <proberts@patriot.net>, Christopher Hicks <chicks@chicks.net>
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sat Oct 26 19:39:21 2002

Paul D. Robertson wrote:
>> death importance, so I personally don't think the 'appliance' label
>> applies to any firewall or security product in existance.
>
>That battle has been lost...

What people don't seem to understand is that "appliance" is
a _PACKAGING_ concept. It's got nothing to do with anything
else. It doesn't say anything about the quality, security,
or maintainability of the software/hardware mix inside the
device. Those are separate questions that are very important
to ask. ;)

"Hardened" is the other one that makes me want to puke. Most
vendors call something "hardened" if they've disabled all
the guest accounts in /etc/passwd on a copy of FreeBSD. Now,
where I come from, "hardened" means that it has a security
design that makes a strong case for how the system is not
trivial to penetrate, and that it has the absolute minimum
of stuff necessary to do the job. That doesn't mean deleting
the compilers and X-windows apps - that means starting with
a kernel, a static-linked copy of fsck and init and building
upwards from there.

mjr.

---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com


Relevant Pages

  • Re: Exchange 2003 - Multiple SSL Certs
    ... I agree and the bigger plan is for an appliance to be introduced once ... OWA will thenbe visible and this is not allowed, ... anything for their security. ... open to the Internet on one site than on the other. ...
    (microsoft.public.exchange.design)
  • 2 site exchange over x.400?
    ... The primary site has a security appliance for mail inside the ... problem with the exchange site to site mail flow. ... think using the x.400 connector between the exchange sites would work? ...
    (microsoft.public.exchange2000.connectivity)
  • [NEWS] Sophos Email Security Appliance Cross Site Scripting Vulnerability
    ... Get your security news from a reliable source. ... Sophos Email Security Appliance Cross Site Scripting Vulnerability ...
    (Securiteam)
  • "Security" appliance testing
    ... All this talk of 802.11 got me to thinking -- I'm seeing a ton of new ... appliance type devices that are combo mini-firewall/print server/802.11 AP ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: How to Network Security Products?
    ... Choosing a security product can be very difficult. ... I would suggest a hardware firewall ... How much you want to spend depends on the size of your network, ...
    (comp.security.firewalls)