Re: [fw-wiz] Proverbial appliance vs software based firewall

From: Marcus J. Ranum (
Date: 10/26/02

To: "Paul D. Robertson" <>, Christopher Hicks <>
From: "Marcus J. Ranum" <>
Date: Sat Oct 26 19:39:21 2002

Paul D. Robertson wrote:
>> death importance, so I personally don't think the 'appliance' label
>> applies to any firewall or security product in existance.
>That battle has been lost...

What people don't seem to understand is that "appliance" is
a _PACKAGING_ concept. It's got nothing to do with anything
else. It doesn't say anything about the quality, security,
or maintainability of the software/hardware mix inside the
device. Those are separate questions that are very important
to ask. ;)

"Hardened" is the other one that makes me want to puke. Most
vendors call something "hardened" if they've disabled all
the guest accounts in /etc/passwd on a copy of FreeBSD. Now,
where I come from, "hardened" means that it has a security
design that makes a strong case for how the system is not
trivial to penetrate, and that it has the absolute minimum
of stuff necessary to do the job. That doesn't mean deleting
the compilers and X-windows apps - that means starting with
a kernel, a static-linked copy of fsck and init and building
upwards from there.


Marcus J. Ranum
Computer and Communications Security