RE: Re(2): Hardware Firewall vs Software Firewall

From: Mickey S. Olsberg (molsberg@hotmail.com)
Date: 09/27/01 

From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'TD - Sales Int'l Holland B.V.'" <td@salesint.com>, <SECURITY-BASICS@SECURITYFOCUS.COM>
Subject: RE: Re(2): Hardware Firewall vs Software Firewall
Date: Thu, 27 Sep 2001 10:53:44 -0700
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAg0HFAqtv1BGF0wBgCN6/I8KAAAAQAAAAo+/OyHCrw0eNC5Fp9v0SfwEAAAAA@hotmail.com>

The core of your question doesn't involve whether the OS can touch
layers 3 & 4, but rather that it can control them via an ACL. That ACL
is a part of an application (remember that daemons are applications too,
for the most part) which must wait for the packet to come to layer 7
before it can act.

My reference to attacks at lower layers comes from the fact that there
are known hacks to keep a session from reaching layer 7. If this can be
done on a system which does not logically separate the IP stacks of
different interfaces, a hacker can potentially bypass any layer 7
protection mechanisms by "hopping" across a lower layer. I do not know
if any firewalls still have this vulnerability, but it would make sense
that if they did they would not be around for long.

I'm better at this when a white board is involved...

Cheers!
Mickey

-----Original Message-----
From: TD - Sales Int'l Holland B.V. [mailto:td@salesint.com]
Sent: Thursday, September 27, 2001 2:25 AM
To: Mickey S. Olsberg
Subject: Re: Re(2): Hardware Firewall vs Software Firewall

Yea that clears up a lot, however you didn't quite answer my question
:-) You said that the OS could only act on level 7 of OSI which would
leave 1 through 6 open for attacks, but the system can do TCP & IP which
are at levels 4 and 3 so why wouldn't the firewall be able to touch
those levels? My question was never about the speed, ofcourse cisco's
are a lot faster, their hardware was designed with only that in mind and
does nothing but that, it's a complete hardware (ok almost complete)
solution and dedicated to those tasks, it has a lot less pipelines it
needs to travel through plus it costs as much or more than a PC hehe it
better be faster :-)

Anyways thanks for the info

Kind regards,

Ferry van Steen

----- Original Message -----
From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'TD - Sales International Holland B.V.'" <td@salesint.com>
Cc: <SECURITY-BASICS@SECURITYFOCUS.COM>
Sent: Wednesday, September 26, 2001 9:20 PM
Subject: RE: Re(2): Hardware Firewall vs Software Firewall

> Well... you're confusing things a bit.
>
> TCP/IP does not have a "driver", it is a protocol which is bound to a
> driver, the driver for the NIC. What you are referring to in your MCSE

> studies is that TCP & UDP operate at approximately layer 4 of the OSI
> model, the transport layer, and IP operates at layer 3, the network
> layer. TCP/IP has its own layer model that does not match OSI
> completely, but that is beside the point here. Even though the OS has
> TCP/IP bound to a driver, it does not have direct control over it,
> rather it depends on the driver and the installed protocol to
> "communicate" with the lower layers. The Cisco IOS, and others like
> it, do not have this dependency on drivers, instead being built to
> directly control the hardware. This is why you could not take a Cisco
> IOS and expect it to work on a Bay Networks router, and on the other
> side the OS's are hardware independent (within the same architecture:
> Intel vs. Sun vs. etc.).
>
> You only have to recognize, getting back to the purpose of this
> thread, that hardware is faster than software because it does not have

> to rely on separate drivers to do the "talking" for it. This is why
> Apple Computer was almost always able to say that their computers were

> faster, because everything was proprietary and built-in to the OS. You

> never heard of a 3com NIC for Macs with its own driver disk. This is
> part of the reason why Apple would never have owned the World like
> Wintel does, because you cannot just run out and buy upgrades from
> third parties. Kind of like the mistakes that Compaq and IBM made in
> the early days...
>
> Hope this clears things up a bit...
>
> Mickey
>
> -----Original Message-----
> From: TD - Sales International Holland B.V. [mailto:td@salesint.com]
> Sent: Wednesday, September 26, 2001 5:09 AM
> To: Mickey S. Olsberg
> Subject: Re: Re(2): Hardware Firewall vs Software Firewall
>
>
> Thanks this already clarifies a lot. Some more questions though if you

> don't mind :-)
>
> You say the drivers operate the first 6 levels thus? Going to windows
> which we probably all know you have the adapter driver and the TCP/IP
> driver. Far as I know TCP/IP operates on a lower level than 7. If this

> isn't true we're done :-) hehe, but if that is true it means that
> TCP/IP driver can communicate with the driver on a lower OSI level
> right? If so why wouldn't a firewall (which atleast in linux case)
> which is kernel based be able to communicate with the driver on a
> lower OSI level 7? Maybe they just didn't explain OSI correct on my
> MCSE course, but far as I knew (i'm not too sure now hehe) TCP/IP were

> the lower levels and SMTP, HTTP and the like were 6 or 7 or so....
> Maybe they just explained too simplistic or something, then again, OSI

> can be pretty confusing if it comes to the exact layers.
>
> If I can find the time I'll just dig up the RFC's. Thanks again for
> the info tho
>
> Kind Regards,
>
> Ferry van Steen
>
>
> On Wednesday 26 September 2001 12:06, you wrote:
> > If you study the RFCs on IP and OSI, you will see that the OS cannot

> > act on anything below layer 7, only the drivers for the NICs can,
> > and as such any software running on an OS cannot act on packets
> > until they
>
> > reach layer 7. The Cisco IOS is different, in that it interacts
> > directly with the hardware, much like the Mcintosh OS. Routers and
> > Macs share the same reasons for being fast; they are much faster at
> > dealing with because they are much more in control of the hardware.
> > This is not to say that I am a proponent of either; I am not. I am
> > only stating the facts. Any box running on *NIX, Windows, BeOS, or
> > the
>
> > like, relies on drivers to control the hardware, where the Cisco IOS

> > or MacOS does not. This means that the Software OS's do not have
> > direct control over the hardware, where the Cisco IOS does.
> >
> > It is widely accepted that MAC addresses can be passed up the stack
> > so
>
> > that the application layer can manipulate them. Look at products
> > like NAI's Sniffer Pro for proof of that. It is clearly an
> > application, although one that uses the promiscuous mode of the
> > NIC's drivers, and it reports MAC's. Being able to block MAC's is
> > not something that is restricted to hardware. The easiest way to
> > explain the difference is that software OS's rely on drivers to
> > control hardware, where hardware
>
> > OS's such as Cisco's IOS control it on their own. This is a very
> > high-level explanation, and as such open to lots of criticism, but I

> > think everyone know what I am trying to say!
> >
> > Routing from a software OS perspective, even on a *NIX box, is still

> > done on layer 7. This is why (on a big pipe) a *NIX box is never as
> > good as a true router, and why Cisco stock is still worth a lot of
> > money. Not discounting the marketing gurus, Cisco would be out of
> > business is LINUX could compete, but as we all know it cannot, in
> > large applications at least. Everyone can argue that Cisco's IOS is
> > software contained on a flash ROM, but I think we are all
> > professional
>
> > enough to know the difference I am referring to.
> >
> > No flame taken!
> >
> > Mickey
> >
> > -----Original Message-----
> > From: TD - Sales International Holland B.V. [mailto:td@salesint.com]
> > Sent: Wednesday, September 26, 2001 2:22 AM
> > To: Mickey S. Olsberg
> > Subject: Re: Re(2): Hardware Firewall vs Software Firewall
> >
> >
> > Hey there,
> >
> > I find it very hard to believe that packets will travel all the way
> > up
>
> > to layer 7.... Do you have any info on that? I can block on MAC
> > address n stuff with iptables, that doesn't look like layer 7 to me
> > at
>
> > all.... Besides that, my kernel has router options so why would it
> > be a non-router OS? Please clarify.
> >
> > Just curious :-) no flame intended
> >
> > regards
>

Relevant Pages

  • RE: Re(2): Hardware Firewall vs Software Firewall
    ... Subject: Re: Hardware Firewall vs Software Firewall ... driver, ... studies is that TCP & UDP operate at approximately layer 4 of the OSI ... TCP/IP has its own layer model that does not match OSI ...
    (Security-Basics)
  • Re: RFC: ipath ioctls and their replacements
    ... > your problems we can get the IB layer fixed. ... Our low-level driver is not IB, doesn't implement IB, and doesn't care ... > on the ipath hardware largely does stateless offload for IB while ... > the mellanox hardware does whole protocol offload. ...
    (Linux-Kernel)
  • Re: w35und: fix Kconfig
    ... That layer is gone, and functions have reasonably small stack ... Add better description of hardware this driver is targetted at. ... the driver code either that abuses the kernel stack too badly. ...
    (Linux-Kernel)
  • Re: [REVIEW] move tty lock/initial up in the stack
    ... Well, the hardware doesn't know, but the state of the hardware does ... :>: The major difference is that serial ports are rapidly headed into ... The serial layer is a spigot. ... I'll plow forward on the cyclades driver I'm working on then. ...
    (freebsd-arch)
  • Re: can sasser& Blaster get to the computer?
    ... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
    (microsoft.public.windowsxp.help_and_support)