RE: Hardware Firewall vs Software Firewall

From: Dom Genzano (dom@stigroup.net)
Date: 10/02/01


From: "Dom Genzano" <dom@stigroup.net>
To: "d'Ambly, Jeff" <jdambly@monster.com>, <security-basics@securityfocus.com>
Subject: RE: Hardware Firewall vs Software Firewall
Date: Tue, 2 Oct 2001 15:19:23 -0400
Message-ID: <DKEHJCIFDPFCCDNEOOCLAEHMDCAA.dom@stigroup.net>

I agree with your statements below, however to get in a router configured in
the same performance 'league' as a pix with ACLs (and potentially the
firewall feature set to do stateful inspection), you need to get a fully
loaded 7200 VXR series (or equivelent from a vendor other than Cisco) which
will drive the price to the point where the PIX is more cost effective.

I don't know that the logging is much better or more intuitive on a PIX than
on a router ACL unless you're using the CSPM (Cisco Secure Policy Manager),
which doesn't change the information produced by the logging, but does make
it easier to analyze.

As far as the IDS code, are you referring to the IDS module available as an
add-on, or are you referring to the 'fixup protocol' feature for certain
applications?- the IDS module available for the PIX is very limited compared
with the 'external' solutions offered by Cisco and others.

Regarding your last statement- the PIX uses security levels to identify what
is 'allowed' for default transmission. However, you have to specify the
address translation parameters for communication to take place from a
high-security interface to a low-security interface; you have to configure
the ingress ACL to deny access for defined translations. For transmission
from a low-security interface to a high-security interface you need to
specify permissions as well as define an ingress ACL to permit access for
defined translations. I'll concede that this is a little bit of a different
approach than most stateful-inspection firewalls, but when you get the hang
of it, it's actually a very effective way to make a firewall implementation
match your policy. (Keep in mind that these statements don't necessarily
apply to the 'legacy' configuration for the PIX which uses the "conduit"
statement to configure permissioning).

I didn't want to get too much into focus on the PIX- the point of my
previous reply was that focusing too much on going 'best-of-breed' on a
particular component of an enterprise security solution is a 'rookie
mistake'. Stick to the policy, go with a layered approach, and select
'appropriate' technology for each layer that meets the requirements stated
in the policy.

I don't jump into these discussions very often- I just saw this one going in
the wrong direction and was trying to help- I hope I have. My intention was
not to stir up a discussion on the details and opinions of any particular
platform.

Best Regards,
Dom Genzano

-----Original Message-----
From: d'Ambly, Jeff [mailto:jdambly@monster.com]
Sent: Tuesday, October 02, 2001 1:24 PM
To: 'Dom Genzano'; 'security-basics@securityfocus.com'
Subject: RE: Hardware Firewall vs Software Firewall

With the advent of turbo access-loist the performance is not degraded on a
router, whne compared with a pix. The main reason to use the PIX is the
logs. The pix gernertes much better logs than the routers. It is easier to
track what is going on. Plus the PIX has some IDS code in it and dose match
quite a few attacks. Also because of the way the PIX handles interfaces it
forces you to seperate your subnetss into diffrent areas, and create trust
relationships.

-----Original Message-----
From: Dom Genzano [mailto:dom@stigroup.net]
Sent: Monday, October 01, 2001 4:35 PM
To: Phil Kramer; security-basics@securityfocus.com
Subject: RE: Hardware Firewall vs Software Firewall

Are you comparing a PIX firewall to a router with ACLs?- wow.... not sure I
can even start to help you out there....

One thing I can clear up is that the way router memory and processing deals
with ACLs is very inefficient compared to most stateful inspection firewalls
deal with their rule set- this is why the performance is 'generally' much
better.

Also, a proxy firewall, while inherently more secure, is not always all it's
cracked up to be. Theoretically, a proxy firewall has the advantage of
being able to recognize and determine 'legal' application calls, sequences,
etc; thereby disallowing inappropriate activity. However, most proxy
firewalls allow too much 'slack' in their application support because they
either can't implement the specific application parameters or purposely
don't because it's too difficult to pin down what is 'appropriate' in terms
of an application (this is the reason that most IDS systems report so many
false positives); performance comes into play as well in these tradeoffs.
Also, by virtue of being an 'application-based' system, many of these proxy
firewall systems are vulnerable themselves.

We have found, through real-world experience, that the best combination for
security and functionality is a stateful-inspection firewall system with the
appropriate IDS systems inside it and a properly configured perimeter router
implementation outside of it. Generally, we have found this to be the case,
but we have done some specific implementations of proxy technology where it
was appropriate to the specific application(s) being run.

Saying that "all these stateful inspection/packet filter technologies work
at too low a level" sounds like you may be missing the forest for the trees-
these technologies are often effectively deployed in a comprehensive
mult-layer solutions for enterprise security.

-----Original Message-----
From: Phil Kramer [mailto:pkramer@2st.net]
Sent: Friday, September 28, 2001 11:23 PM
To: security-basics@securityfocus.com
Subject: Re: Hardware Firewall vs Software Firewall

My personal opinion is not hardware vs software, but what firewall is most
secure. You can talk about PIX, CheckPoint, Linux with IPtables, IPchains
and IPfilters but from a security point of view a pure application proxy is
more secure. How many people can notice a 20 ms pause? If you want speed
get a router with ACLS, that's what PIX is. All these stateful
inspection/packet filter technolgies work at too low a level (layers 2-4) to
provide enterprise security. For web servers, mail servers etc. you need
layer 7 checking.

Phil Kramer, SANS GSEC
Systems Solutions Technologies, LLC
Phone: 615-646-5766
email: pkramer@2st.net



Relevant Pages

  • RE: Router with security features
    ... Subject: Router with security features ... Well when looking at firewalls you have to understand that a PIX is a PC ... If you want the firewall to work well, ...
    (Security-Basics)
  • RE: PIX Question
    ... to say on the locking down a router and yes the firewall will block internal ... With out some sort of filtering on the ... edge router you will still leave yourself open to certain attacks. ... Subject: PIX Question ...
    (Security-Basics)
  • RE: Auditing Router and Firewall - Checklist and Utils
    ... seems like I missed it and will try out PLA/FWANALOG for PIX log gathering. ... Treat input configuration as a PIX/ASA/FWSM-based Cisco firewall. ... Auditing Router and Firewall - Checklist and Utils ...
    (Security-Basics)
  • Re: Firewall: router vs. software
    ... I have a router as ... > well as software firewall setup for my home network. ... The ZoneAlarm firewall works great as well. ... > drop it and stay with the Linksys router and be done with it. ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Cisco 2621 opinions
    ... The 2600 series is really designed as a border router for slow bandwidth ... IPFWIOS with CBAC is a great cheap firewall solution--for a small office. ... it is extremely limited (it does stateful packet inspection ... If the only other choice is the PIX, then I heartily recommend the PIX. ...
    (Firewall-Wizards)