RE: [fw-wiz] Proverbial appliance vs software based firewall

From: Marcus J. Ranum (
Date: 10/26/02

To: "Jared Valentine" <>, <>
From: "Marcus J. Ranum" <>
Date: Sat Oct 26 19:39:58 2002

Jared Valentine wrote:
>John Pescatore (VP @ Gartner) wrote a good report/article on just this
>subject. "Software security is soft security: Hardware is required."

What constantly boggles my mind is that anyone takes
Gartner's pronouncements on security seriously... They're
so ignorant they have no idea how ignorant they are.
You've got to understand that most of the input into
Gartner is from briefings arranged by the marketing
departments of companies that are paying them to listen
to their briefings. Basically, Garter sits at the apex of
the hype food-chain; they consume pure hype and produce
little sh&t-pellets of hype that is as dense as neutronium.
Remember, these are the guys who get all excited and
talk about revolutionary new technologies like "intrusion
prevention" without realizing that it's just a buzz-word
for stuff that has been around for ages. They're idiots.

>"Throwing more security software at a security problem that is caused by the
>essentially insecure nature of software is like going to a blind barber-it
>can only end badly and, more likely than not, bloodily."

Cute turn of phrase but what's he really saying?

He's saying he doesn't know what software is. And he probably
doesn't know what hardware is either. He appears to think that
buggy code only exists on hard disks, and doesn't realize that
buggy code can also get compiled down into FPGAs or strongARM
processors or coprocessors or whatever.

>While it is correct that all security comes down to "software" at some
>point, I would argue that hardware is much more secure. The difference
>between the two is that the hardware manufacturer can build off of a trusted
>base/OS. They can look at the OS line by line and strip out everything not
>essential for the operating of that firewall.

Go stand in the corner with Pescatore. ;)

The difference between the two is that usually, memory-space in
hardware devices is _expensive_ and manufacturers don't want to
run bloat-ware like UNIX kernels in it. So they use smaller
kernels like VXworks or QNX or whatever. But there's a kernel
(that's "software", see?) running down in there, you betcha.
Do they look at the OS line by line? Hell no. Do they strip out
security flaws? Hell no. If they're using QNX or VXworks, they
are using an OS that was designed to run in tight real-estate
and consequently was made modular so that you don't automatically
get a lot of stuff you don't NEED. This is unlike UNIX or Windows
or (worse) Linux - where the kitchen sink is not only included,
but it's bolted to the wall - and when you take the sink out
because you didn't need it, the wall falls over. In other
words, those realtime operating environments are "secure"
BY ACCIDENT in the cases where they are, in fact, secure.
They also appear to be more secure because they're obscure and
weird and hackers generally don't waste the time attacking
them because there's not much to do with them once you've gotten
into them. But any security that happens in these cases is because
the operating environment (that's "software" that "boots" on
the "embedded processor" often from read-only memory or flash
so it can be upgraded)

But it's _ALL_ software.

Basically, what's going on here is that having a "hardware"
"appliance" lets people sweep upgrade problems under the rug
and pretend that they don't need to worry about it. Think of
it this way - when you buy a firewall that's got its firewalling
logic blown into ROM, are you REALLY happy with that? What if
some new attack comes out that the firewall doesn't protect
you against? OOPS! Well, you'll upgrade it, if you're smart.
But it'll be a software upgrade. Code, written in C, just like
all the other firewalls.


Marcus J. Ranum
Computer and Communications Security