RE: [fw-wiz] Multiple firewalls from different manufactureres

From: Paul D. Robertson (
Date: 01/28/05

  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
    To: Eugene Kuznetsov <>
    Date: Fri, 28 Jan 2005 15:56:13 -0500 (EST)

    On Fri, 28 Jan 2005, Eugene Kuznetsov wrote:

    > Hmm, this is pretty interesting, because it's contrary to what I hear
    > elsewhere. Could you talk about why you would rather get software instead of

    That's because most people make purchasing decisions based on market
    "trends"- the IT field is the example of "if everyone else jumped off a
    cliff" turning an industry into Lemmings.

    > a sealed appliance -- ignoring, for the time being, the cases where the
    > appliance includes hardware acceleration for some aspects of security
    > processing. Is it perceived cost? Desire to reuse old hardware? Even for
    > Checkpoint, over 50% of the business is appliance-based, maybe more now.

    1. Lack of vendor lock-in for hardware.

    Wait until a NIC fails on your appliance at 8PM Friday before a 3-day

    2. Ease of rescaling to meet demand.

    Wait until your company buys a whole new division unannounced and plants
    them all behind your firewall.

    3. Lack of vendor lock-in for software.

    Wait until your vendor decides that some newfangled marketing thing is
    better for your enterprise than the old solid proxy you evaluated and made
    your purchasing decision on.

    > Now, granted, if what you're getting from the vendor is the dreaded "server
    > appliance" -- the same Dell 1U server with RedHat & some custom software
    > preinstalled -- it probably doesn't matter.

    It doesn't matter. "Appliances" aren't special. They're still computers,
    they still have hardware, software and firmware. Since there's nothing
    magic about them, the current trend to get the snazzy looking, but
    impossible to upgrade box seems rather silly to me.

    As for "performance"- for most companies, the additional "speed" doesn't
    matter, as the latency in the middle is going to get you anyway,
    decreasing Web access by two tenths of a millisecond through the
    firewall's buffer just to have the packet sit in the upstream router's
    buffer really isn't all that good. I did a series of tests at one place
    of employment to dispel the "proxies suck" myth, and the difference of
    hardware acceleration to end-users is often so negligible that you can't
    quantify it at normal traffic patterns and loads.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact."
    firewall-wizards mailing list

  • Next message: Behm, Jeffrey L.: "RE: [fw-wiz] Multiple firewalls from different manufactureres"

    Relevant Pages

    • Re: searching for hardware firewall with web history
      ... it is marketed as an appliance... ... >hardware in it and the OS is some sort of BSD derivate. ... >> indicate that Astaro is a software firewall. ... Wrong, marketing speech and technical ...
    • ISA-Appliance für KMUs oversized?
      ... Ein ISA gehört optimalerweise auf eigene Hardware, ... Wie soll ich das aber einem Kunden erklären, der gerade einmal bereit ist, ... Oder ist der Einsatz des ISA2K4 [als Appliance] in solch kleinen Umgebungen ... Eurer Meinung nach "mit Kanonen auf Spatzen geschossen"? ...
    • Re: XP license to 2nd computer legal?
      ... Without MS support, ... Hardware is changing rapidly and in the real near ... Computers will be an 'appliance' that you buy(or given to you like ... This prom will be able to attached to any ...
    • Re: Is Netgear FVS318 a "true" firewall?
      ... A piece of hardware running NAT and SPI and some other FW like features ... It's a simple NAT router. ... An appliance running true FW software will meet the specs for *what does ...
    • Re: Linux and audio pro
      ... "Noah Roberts" wrote: ... > Vendor lock-in is basically what happens when a vendor makes it ... > difficult or impossible to switch to, or communicate with, any one ... > product that only works with certain hardware and (correct me ...