Re: Hardware Firewall vs Software Firewall

From: Phil Kramer (pkramer@2st.net)
Date: 10/01/01


Message-ID: <019001c14ab2$90103560$0100a8c0@nash1.tn.home.com>
From: "Phil Kramer" <pkramer@2st.net>
To: "Mickey S. Olsberg" <molsberg@hotmail.com>, <security-basics@securityfocus.com>
Subject: Re: Hardware Firewall vs Software Firewall
Date: Mon, 1 Oct 2001 14:52:09 -0500

Mickey,

Your exactly right about that as well.

If you understand the risk, implement and secure to minimize your
vulnerability, then all is good.

What I mean by that is if you've got 1000's of web servers and are using
"faster" non-proxying firewalls, then you need to understand that those web
servers may get exploited in the future, even the proxied ones might. If
these web servers do not contain anything but your public information and
you implement and secure with this in mind then you are limiting your
exposure to the risk. A product like Tripwire could tell you if anything
changed. If you get hacked what's the worse thing that could happen? A
defacement. No credit card numbers, social security names, account numbers,
salaries, customer information, nothing needs to be out there.

In addition, I could still use a more secure firewall between my enterprise
and this service network. Especially if the web servers are coming inside
to gather information to send back outside.

Phil

----- Original Message -----
From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'Phil Kramer'" <pkramer@2st.net>; <security-basics@securityfocus.com>
Sent: Monday, October 01, 2001 2:01 PM
Subject: RE: Hardware Firewall vs Software Firewall

> I agree wholeheartedly with Phil's opinion, but would add one note. The
> only case in my opinion which justifies the speed over security is
> very-high bandwidth applications, such as a certain place I know that
> contains 36,000 nodes behind its firewalls. Still, you must weigh the
> need for security against the need for speed, and security should
> *always* win.
>
> Mickey

----- Original Message -----
From: "Mickey S. Olsberg" <molsberg@hotmail.com>
To: "'Phil Kramer'" <pkramer@2st.net>; <security-basics@securityfocus.com>
Sent: Monday, October 01, 2001 2:01 PM
Subject: RE: Hardware Firewall vs Software Firewall

> I agree wholeheartedly with Phil's opinion, but would add one note. The
> only case in my opinion which justifies the speed over security is
> very-high bandwidth applications, such as a certain place I know that
> contains 36,000 nodes behind its firewalls. Still, you must weigh the
> need for security against the need for speed, and security should
> *always* win.
>
> Mickey
>
> -----Original Message-----
> From: Phil Kramer [mailto:pkramer@2st.net]
> Sent: Friday, September 28, 2001 8:23 PM
> To: security-basics@securityfocus.com
> Subject: Re: Hardware Firewall vs Software Firewall
>
>
> My personal opinion is not hardware vs software, but what firewall is
> most secure. You can talk about PIX, CheckPoint, Linux with IPtables,
> IPchains and IPfilters but from a security point of view a pure
> application proxy is more secure. How many people can notice a 20 ms
> pause? If you want speed get a router with ACLS, that's what PIX is.
> All these stateful inspection/packet filter technolgies work at too low
> a level (layers 2-4) to provide enterprise security. For web servers,
> mail servers etc. you need layer 7 checking.
>
> Phil Kramer, SANS GSEC
> Systems Solutions Technologies, LLC
> Phone: 615-646-5766
> email: pkramer@2st.net
>
>
>