Security Basics mailing list archives
RE: Software/Hardware Firewall
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 17 Apr 2003 11:51:01 -0700
One of the problems with the "hardware vs. software firewall" debate (which rears its head on a regular basis) is that the distinction is rarely clearly understood by those posing the question (and often also by those attempting to answer it!). There are at least three distinctions that may be drawn between different firewall implementations that *might* appear to be "hardware vs. software": 1. Firewall applications that run purely in software (e.g., FW-1, PIX, etc) versus those that offload some tasks to custom ASIC silicon (as (some of?) NetScreen's products (claim to) do). This is the version of the question you've attempted to answer here, although some of NetScreen's claims appear to dispute the answer you've offered. (Clearly *some* of NetScreen's functionality is implemented in updatable firmware/software, so I do not know of any PURE hardware solutions.) Part of the power of digital technology is that functions which would be quite challenging to implement purely in hardware can often be implemented much less expensively in software. (In absolute terms, the software implementation is rarely as fast as specialized hardware could be, but as long as it's fast *enough*, the cost saving tends to win.) So this variation of the question is rarely very interesting to discuss. 2. "Desktop firewall applications" that run directly on the host, as opposed to firewall boxes in the network which function as routers (or, occasionally, bridges). i.e., should the firewall process run on its own box ("dedicated hardware")? There are really two parts to this question. Protecting each machine individually seems to work well in home or individual-user environments, but does not scale well to networks of thousands of machines. So in most cases the environment of use dictates whether this is an acceptable solution or not. The other piece of this question, though, is a specific case of a third general interpretation of the "hardware vs. software" question.... 3. Firewall applications that run on top of a general-purpose OS and hardware (e.g., CheckPoint FW-1 on Solaris, Windows, or Linux) versus firewall applications preinstalled with custom OS on possibly custom hardware (e.g. PIX, FW-1 on Nokia or switch blades, etc.) i.e., do you buy/license the firewall as software to run on standard hardware/OS you provide, or as a preconfigured hardened box ("piece of hardware")? Desktop firewall applications (see 2) always fall into the first of these alternatives, but with dedicated hardware you have a choice. Specialized hardware and OS platforms are expensive for several reasons. They require the firewall manufacturer to engage in (and excel at!) a wider variety of tasks than a software-only approach, and manufacturing costs cannot be recouped using economies of scale because the market is rather limited. On the other hand, a firewall implementation that relies on general-purpose hardware and OS support may inherit vulnerabilities from those components that the firewall vendor may not be able to anticipate, or to fix. THIS is where you get into an interesting set of trade-offs, where differences in manufacturer quality and customer priorities can lead to very different recommendations for networks of similar size and topology. David Gillett
-----Original Message----- From: thedistance [mailto:thedistance () 1thedistance com] Sent: April 17, 2003 10:22 To: jpastore () idetech net Cc: security-basics () securityfocus com Subject: Re: Software/Hardware Firewall Actually, correct me if I'm wrong, but all firewalls are software. It's just some are packaged with specific hardware packages. This is true for Cisco Pix, Netscreen, and I believe the Watch Guard as well as others. The only difference is that the software is customized for specific hardware and the software has limited interaction with the end user. A hardware firewall would be a dangerous beast since once an exploit is found you would have to purchase a new device or send it in to be refitted. I believe the differences are more clearly expressed in terms of "Prepackaged Firewall" and "Build your own Firewall" td I've never cared hardware versus software, as long as the job got done. I mean technically you would have less problems with hardware (someone's going to flame me for that) the reason I say this is I have a dell server using iptables with 2 nics and you would think everything would be fine...well the driver that kudzu picked was deprecated by Red Hat and I had this problem where something got over flowed or hung ...whatever... and iptables said I can't deal with this let the packets FLOW...all goes back to this deprecated driver...if it's deprecated remove it...I understand leaving in nslookup but drivers? Come on that was a potential bad problem that we were lucky we found first... Anyway we're purchasing a Watch Guard Firebox 1000 this thing seems pretty kewl... Jon Pastore, President IDE Tech, Inc. (954) 360-0393 Office (954) 428-0442 Fax On 4/16/03 2:43 PM, "Jon Pastore" <jpastore () idetech net> wrote:security-basics () securityfocus com-- thedistance -------------------------------------------------------------- ------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place.
http://www.securityfocus.com/BlackHat-security-basics ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Software/Hardware Firewall D K (Apr 15)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)
- Re: Software/Hardware Firewall thedistance (Apr 17)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)
- RE: Software/Hardware Firewall David Gillett (Apr 17)
- Re: Software/Hardware Firewall thedistance (Apr 17)
- <Possible follow-ups>
- Re: Software/Hardware Firewall D K (Apr 21)
- RE: Software/Hardware Firewall Jon Pastore (Apr 17)