Re: Un-Hackabel Hardware Firewall???

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 05/12/04

  • Next message: Jeff Cochran: "Re: Firewall" 
    Date: Wed, 12 May 2004 19:36:32 GMT

    >A disadvantage of h/w firewalls is that there is usually no automatic
    >software update mechanism integrated (I am not aware of any, there no doubt
    >is somewhere). OS based s/w firewalls can readily be administered, patched,
    >and updated. Certainly h/w f/w's using upgradable firmware can too, but most
    >usually someone has to manually check the f/w firmware and check for
    >upgrades.
    >
    >So, what happens with a h/w firewall when an alert is raised? People readily
    >listen for OS alerts, but what about firmware upgrades for h/w firewalls.
    >More often people are deaf to this responsibility.

    Every hardware firewall I've dealt with has firmware upgrades, and has
    a support email list. Any admin worth the designation would be
    checking these updates. In addition, most admins wouldn't allow
    automatic updates on a software-based system without a chance to
    intervene, since a flawed update can be a disaster.

    The most basic flaw in your analogy though is that firewall software
    rarely has any automatic update feature. The underlying OS might, but
    when was the last time your Kerio, ZoneAlarm, ISS, Firewall1 or
    whatever updated itself?

    >Add to this the attitude that the h/w f/w device is an appliance and that
    >the manufacturer may not readily admit to exploits and so feel a
    >responsibility to produce firmware upgrades and in some cases you either
    >have a very slow patch process or a vendor that is not as responsible as
    >they should be. One major (at least) well known h/w firewall vendor was
    >horrifically slow in producing a firmware upgrade last year as the result of
    >an exploit.

    Any such manufacturer is usually quickly out of business. Of course,
    many of the exploits of operating systems are due to code which has
    existed unchanged for years, so this isn't a comparison item.

    Keep in mind the major advantage of hardware firewalls: Proprietary
    operating systems with limited functionality to exploit and extremely
    tough for most to disassemble to find flaws. The majority of software
    firewalls are compromised due to a misconfiguration or fault in the
    underlying operating system.

    And as always, a poor admin can make any firewall, hardware or
    software, extremely insecure.

    Jeff

  • Next message: Jeff Cochran: "Re: Firewall"