RE: Re(2): Hardware Firewall vs Software Firewall

From: Mickey S. Olsberg (molsberg@hotmail.com)
Date: 09/26/01 

From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'TD - Sales International Holland B.V.'" <td@salesint.com>
Subject: RE: Re(2): Hardware Firewall vs Software Firewall
Date: Wed, 26 Sep 2001 12:20:21 -0700
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAg0HFAqtv1BGF0wBgCN6/I8KAAAAQAAAAGnx5SPUzS0e3qV8jGOO83wEAAAAA@hotmail.com>

Well... you're confusing things a bit.

TCP/IP does not have a "driver", it is a protocol which is bound to a
driver, the driver for the NIC. What you are referring to in your MCSE
studies is that TCP & UDP operate at approximately layer 4 of the OSI
model, the transport layer, and IP operates at layer 3, the network
layer. TCP/IP has its own layer model that does not match OSI
completely, but that is beside the point here. Even though the OS has
TCP/IP bound to a driver, it does not have direct control over it,
rather it depends on the driver and the installed protocol to
"communicate" with the lower layers. The Cisco IOS, and others like it,
do not have this dependency on drivers, instead being built to directly
control the hardware. This is why you could not take a Cisco IOS and
expect it to work on a Bay Networks router, and on the other side the
OS's are hardware independent (within the same architecture: Intel vs.
Sun vs. etc.).

You only have to recognize, getting back to the purpose of this thread,
that hardware is faster than software because it does not have to rely
on separate drivers to do the "talking" for it. This is why Apple
Computer was almost always able to say that their computers were faster,
because everything was proprietary and built-in to the OS. You never
heard of a 3com NIC for Macs with its own driver disk. This is part of
the reason why Apple would never have owned the World like Wintel does,
because you cannot just run out and buy upgrades from third parties.
Kind of like the mistakes that Compaq and IBM made in the early days...

Hope this clears things up a bit...

Mickey

-----Original Message-----
From: TD - Sales International Holland B.V. [mailto:td@salesint.com]
Sent: Wednesday, September 26, 2001 5:09 AM
To: Mickey S. Olsberg
Subject: Re: Re(2): Hardware Firewall vs Software Firewall

Thanks this already clarifies a lot. Some more questions though if you
don't mind :-)

You say the drivers operate the first 6 levels thus? Going to windows
which we probably all know you have the adapter driver and the TCP/IP
driver. Far as I know TCP/IP operates on a lower level than 7. If this
isn't true we're done :-) hehe, but if that is true it means that TCP/IP
driver can communicate with the driver on a lower OSI level right? If so
why wouldn't a firewall (which atleast in linux case) which is kernel
based be able to communicate with the driver on a lower OSI level 7?
Maybe they just didn't explain OSI correct on my MCSE course, but far as
I knew (i'm not too sure now hehe) TCP/IP were the lower levels and
SMTP, HTTP and the like were 6 or 7 or so.... Maybe they just explained
too simplistic or something, then again, OSI can be pretty confusing if
it comes to the exact layers.

If I can find the time I'll just dig up the RFC's. Thanks again for the
info tho

Kind Regards,

Ferry van Steen

On Wednesday 26 September 2001 12:06, you wrote:
> If you study the RFCs on IP and OSI, you will see that the OS cannot
> act on anything below layer 7, only the drivers for the NICs can, and
> as such any software running on an OS cannot act on packets until they

> reach layer 7. The Cisco IOS is different, in that it interacts
> directly with the hardware, much like the Mcintosh OS. Routers and
> Macs share the same reasons for being fast; they are much faster at
> dealing with because they are much more in control of the hardware.
> This is not to say that I am a proponent of either; I am not. I am
> only stating the facts. Any box running on *NIX, Windows, BeOS, or the

> like, relies on drivers to control the hardware, where the Cisco IOS
> or MacOS does not. This means that the Software OS's do not have
> direct control over the hardware, where the Cisco IOS does.
>
> It is widely accepted that MAC addresses can be passed up the stack so

> that the application layer can manipulate them. Look at products like
> NAI's Sniffer Pro for proof of that. It is clearly an application,
> although one that uses the promiscuous mode of the NIC's drivers, and
> it reports MAC's. Being able to block MAC's is not something that is
> restricted to hardware. The easiest way to explain the difference is
> that software OS's rely on drivers to control hardware, where hardware

> OS's such as Cisco's IOS control it on their own. This is a very
> high-level explanation, and as such open to lots of criticism, but I
> think everyone know what I am trying to say!
>
> Routing from a software OS perspective, even on a *NIX box, is still
> done on layer 7. This is why (on a big pipe) a *NIX box is never as
> good as a true router, and why Cisco stock is still worth a lot of
> money. Not discounting the marketing gurus, Cisco would be out of
> business is LINUX could compete, but as we all know it cannot, in
> large applications at least. Everyone can argue that Cisco's IOS is
> software contained on a flash ROM, but I think we are all professional

> enough to know the difference I am referring to.
>
> No flame taken!
>
> Mickey
>
> -----Original Message-----
> From: TD - Sales International Holland B.V. [mailto:td@salesint.com]
> Sent: Wednesday, September 26, 2001 2:22 AM
> To: Mickey S. Olsberg
> Subject: Re: Re(2): Hardware Firewall vs Software Firewall
>
>
> Hey there,
>
> I find it very hard to believe that packets will travel all the way up

> to layer 7.... Do you have any info on that? I can block on MAC
> address n stuff with iptables, that doesn't look like layer 7 to me at

> all.... Besides that, my kernel has router options so why would it be
> a non-router OS? Please clarify.
>
> Just curious :-) no flame intended
>
> regards

Relevant Pages

  • RE: Re(2): Hardware Firewall vs Software Firewall
    ... Subject: Re: Hardware Firewall vs Software Firewall ... are known hacks to keep a session from reaching layer 7. ... > driver, ...
    (Security-Basics)
  • [opensuse] openSUSE 10.3 not detecting SATA HD
    ... the sata_sis driver. ... I've tried turning off ACPI in bios and acpi=off which ... openSUSE 10.2 and all my hardware is working fine. ... info.product = 'USB Raw Device Access' ...
    (SuSE)
  • Re: 2008 SBS no longer boots
    ... driver issue initially, the fact that it seems to happen randomly now ... weird with a hardware problem that consistently doesn't get through boot ... other customer, even a 2 week old one, the problem immediately returned. ... There was a time when a server was fired up with a specialized OS and had a battery of tests run against each component to purposefully stress it. ...
    (microsoft.public.windows.server.sbs)
  • Re: Linux, X, ld, gcc, linking, shared libraries and stuff
    ... >> because, originally, video cards / system RAM could NOT afford to have ... > GL actually "copies" everything, but it's done by the graphics card, so ... > anyway if it's not hardware accelerated. ... installed the proper driver, then it zooms around the screen... ...
    (alt.lang.asm)
  • Re: FreeBSD 7.0 problems
    ... Ergo I can't fault the hardware in any way. ... The wifi driver complains of timeout errors. ... vendor = 'Intel Corporation' ... ABI class: ...
    (freebsd-questions)